CVE-2021-24498: 
WordPress vulnerability analysis and mitigation

The Calendar Event Multi View WordPress plugin before version 1.4.01 contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24498. The vulnerability was discovered and publicly disclosed on July 5, 2021. This security issue affects the WordPress plugin cp-multi-view-calendar and was assigned a CVSS v3.1 base score of 6.1 (Medium) (NVD).

The vulnerability stems from improper input sanitization where the plugin fails to properly sanitize or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php. This implementation flaw is classified as CWE-79: Improper Neutralization of Input During Web Page Generation. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD, WPScan).

The vulnerability allows attackers to execute cross-site scripting attacks through the manipulation of GET parameters. When successfully exploited, this could lead to the execution of malicious JavaScript code in users' browsers, potentially compromising user sessions or leading to the theft of sensitive information (WPScan).

The vulnerability has been patched in version 1.4.01 of the Calendar Event Multi View WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).