CVE-2021-24813: 
WordPress vulnerability analysis and mitigation

The Events Made Easy WordPress plugin before version 2.2.24 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24813. The vulnerability was discovered in January 2021 and affects the plugin's Custom Field Names functionality. The issue stems from improper sanitization and escaping of input fields, which affects high-privilege users even when the unfiltered_html capability is disabled (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 3.5 (Low). The security flaw exists in the Custom Field Names feature where input validation is insufficient. The vulnerability is tracked as CWE-79 and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows high-privilege users to perform Cross-Site Scripting attacks on the WordPress installation, even in cases where the unfiltered_html capability is explicitly disallowed. The XSS payload can be triggered when accessing various pages including Custom Field, Pending Bookings, and Approved Bookings sections (WPScan).

The vulnerability has been patched in version 2.2.24 of the Events Made Easy plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan, WordPress).