The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.
PoC
- Go to Setting Tab Under Calendar Lite Plugin * Under Setting tab Click on Slugs/Permalinks tab * Enter the XSS payload into Main Slug and Category Slug both. Both fields are vulnerable. XSS payload used : "> * Click On Save Changes. then visit to Setting tab again or reload it. XSS will popup.