CVE-2021-25046: 
WordPress vulnerability analysis and mitigation

The Modern Events Calendar Lite WordPress plugin versions before 6.2.0 contained a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Krzysztof Zając and was publicly disclosed on December 3, 2021. The issue allowed any authenticated user, including those with subscriber-level privileges, to add categories with improperly escaped parameters in the admin panel (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It received a CVSS score of 5.4 (medium severity). The vulnerability exists in the category creation functionality where parameters were not properly escaped in the admin panel. This security flaw falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability allows attackers with subscriber-level access to inject malicious JavaScript code that would execute in the context of administrative users viewing the affected categories section. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

The vulnerability was fixed in version 6.2.0 of the Modern Events Calendar Lite plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).