My Calendar versions 2.5.16 and below suffer from a stored cross site scripting vulnerability.
eb9b27671a24c4e597e9e05a8d4885e435e39a68317a9fef72f37b24c12c4b8c
An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.
In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
Vulnerability is fixed in My Calendar 2.5.17.
Proof of Concept: https://www.gubello.me/blog/my-calendar-2-5-16-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=OvoEiJd6ggY