Product: My Calendar
Active installations: 30,000+
Product page: https://it.wordpress.org/plugins/my-calendar/
In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
PROOF OF CONCEPT
My Calendar 2.5.16 is vulnerable, probably earlier versions too. Joe Dolson, My Calendar’s author, was really quick to fix the vulnerability and update the plugin.
02/04/2018 – I send the report
03/04/2018 – My Calendar is updated to version 2.5.17 and the vulnerability is fixed
18/04/2018 – Public disclosure