CVE-2023-4021: 
WordPress vulnerability analysis and mitigation

The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Google API key and Calendar ID in versions up to, but not including, 7.1.0. The vulnerability exists due to insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level permissions to inject arbitrary web scripts that execute when users access affected pages. This vulnerability specifically impacts multi-site installations and installations where unfiltered_html has been disabled (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires high privileges and user interaction to exploit, with the attack complexity being low. The scope is changed, and it can impact both confidentiality and integrity at a low level (NVD).

When exploited, this vulnerability allows attackers with administrator-level access to inject malicious web scripts into pages. These scripts will execute whenever users visit the affected pages, potentially leading to theft of sensitive information or manipulation of page content. The impact is particularly significant in multi-site installations and when unfiltered_html is disabled (NVD).

The vulnerability has been patched in version 7.1.0 of the Modern Events Calendar lite plugin. Users are advised to update to this version or later to mitigate the risk. The fix includes improved input sanitization and output escaping mechanisms (Webnus Changelog).