The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create a new calendar with the following Name: The XSS will be triggered when editing or publishing the calendar
CPE | Name | Operator | Version |
---|---|---|---|
wp-time-slots-booking-form | lt | 1.1.63 |