CVE-2021-25049: 
WordPress vulnerability analysis and mitigation

CVE-2021-25049 affects the Mobile Events Manager WordPress plugin versions before 1.4.4. The vulnerability was discovered and publicly disclosed on December 24, 2021, by security researcher Varun Thorat. The issue exists in the plugin's settings functionality where various fields are not properly sanitized and escaped (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It has been assigned a CVSS score of 3.4 (Low severity). The vulnerability stems from the plugin's failure to properly sanitize and escape various settings fields, which can lead to XSS attacks even when the unfiltered_html capability is disabled (WPScan).

The vulnerability allows high-privilege users to perform Cross-Site Scripting attacks through multiple entry points in the plugin's settings, including the Event prefix field, Application Name field, and Company Name field. These XSS payloads can be triggered in both the plugin interface and the admin dashboard (WPScan).

The vulnerability has been fixed in version 1.4.4 of the Mobile Events Manager plugin. Users are advised to update to this version or later to mitigate the risk (WPScan, WordPress Plugins).