CVE-2021-24225: 
WordPress vulnerability analysis and mitigation

The Advanced Booking Calendar WordPress plugin versions before 1.6.7 contained an authenticated reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on March 28, 2021, and was assigned CVE-2021-24225. The issue affected the plugin's 'Seasons & Calendars' page where the calId GET parameter was not properly sanitized before being output in an A tag (WPScan).

The vulnerability was classified as a Cross-Site Scripting (XSS) issue with a CVSS score of 7.1 (high), falling under the OWASP Top 10 category A7 and CWE-79. The vulnerability could be exploited through the calId GET parameter in the admin interface at the path /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars. The issue stemmed from insufficient sanitization of user input before it was reflected back in an A tag (WPScan).

The vulnerability allowed authenticated attackers to inject and execute arbitrary web scripts in the context of other users' browsers who accessed the affected admin page. This could potentially lead to unauthorized actions being performed on behalf of administrators or the theft of sensitive information (WPScan).

The vulnerability was fixed in version 1.6.7 of the Advanced Booking Calendar plugin. Users should update to this version or later to protect against this security issue (WPScan).