The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.
* Go to Setting Tab Under Calendar Lite Plugin
* Under Setting tab Click on Slugs/Permalinks tab
* Enter the XSS payload into Main Slug and Category Slug both. Both fields are vulnerable.
XSS payload used : "><script>alert(1)</script>
* Click On Save Changes. then visit to Setting tab again or reload it. XSS will popup.