Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Go to the EventON Lite settings and create/activate a custom metadata field. 2. Then, insert the new custom metadata field. 3. Create a new Event itself and for the the Custom Meta Field value, insert the payload " style=animation-name:rotation onanimationstart=alert(/XSS/)//
4.The Stored XSS will be triggered when editing the event again.