While looking in to what turned out be a false report of a vulnerability in the plugin Simple Events Calendar, we noticed there is a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin.
When the plugin’s admin page is requested, the function that generates that page checks if a new event has been submitted with the request using the
Source: Security Feed