CVE-2020-9459: 
WordPress vulnerability analysis and mitigation

Multiple Stored Cross-site scripting (XSS) vulnerabilities were discovered in the Webnus Modern Events Calendar Lite WordPress plugin versions through 5.1.6. The vulnerability was disclosed on February 28, 2020, and allows remote authenticated users with minimal permissions to inject arbitrary JavaScript, HTML, or CSS via Ajax actions, specifically affecting mec_save_notifications and import_settings functions (NVD Database).

The vulnerability is tracked as CVE-2020-9459 with a CVSS v3.1 Base Score of 5.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It requires low attack complexity and low privileges to exploit, though user interaction is required (NVD Database).

The vulnerability allows attackers to inject malicious scripts that can execute in users' browsers, potentially leading to theft of sensitive information or manipulation of website content. The CVSS scoring indicates low confidentiality and integrity impacts, with no impact on availability (NVD Database).

The vulnerability was patched in version 5.1.7 of the Modern Events Calendar Lite plugin. Users are advised to update to this version or later to mitigate the risk (Wordfence Blog).