CVE-2021-24927: 
WordPress vulnerability analysis and mitigation

The My Calendar WordPress plugin before version 3.2.18 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24927. The vulnerability was discovered and reported by security researcher Krzysztof Zając and was publicly disclosed on November 1, 2021 (WPScan).

The vulnerability exists because the plugin fails to properly sanitize and escape the 'callback' parameter in the mc_post_lookup AJAX action. This action is accessible to any authenticated user, including those with minimal privileges such as subscribers. When exploited, it allows for the injection of malicious JavaScript code that executes in the victim's browser (CVE Mitre, WPScan).

When successfully exploited, this vulnerability allows authenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the affected pages. This could lead to session hijacking, credential theft, or other malicious actions depending on the specific payload used (WPScan).

The vulnerability has been fixed in version 3.2.18 of the My Calendar plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue (WPScan).