My Calendar versions 2.5.16 and below suffer from a stored cross site scripting vulnerability.
8f8e6c3935799c98f0a10c87a69b6787An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.
In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
Vulnerability is fixed in My Calendar 2.5.17.
Proof of Concept: https://www.gubello.me/blog/my-calendar-2-5-16-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=OvoEiJd6ggY