CVE-2024-8493: 
WordPress vulnerability analysis and mitigation

The Events Calendar WordPress plugin versions before 6.6.4 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-8493. The vulnerability was discovered by Dmitrii Ignatyev and affects administrators and users with high privileges in WordPress installations (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw exists even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. The vulnerability has been assigned a CVSS 3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly concerning in multisite WordPress installations where the unfiltered_html capability is typically disabled as a security measure (CVE).

The vulnerability has been patched in version 6.6.4 of The Events Calendar plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).