Description The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
1. Go to the EventON Lite settings and create/activate a custom metadata field.
2. Then, insert the new custom metadata field.
3. Create a new Event itself and for the the Custom Meta Field value, insert the payload `" style=animation-name:rotation onanimationstart=alert(/XSS/)//`
4.The Stored XSS will be triggered when editing the event again.