The vulnerability arises from improper neutralization of input during web page generation, allowing a stored cross‑site scripting attack. The plugin saves user content without sanitization, enabling attackers to embed malicious scripts that will execute in visitors' browsers when the content is displayed.

The WordPress plugin "The Events Calendar Shortcode & Block" developed by Brian Hogg, all releases up to and including version 3.1.1, is affected.

The CVSS score of 6.5 indicates moderate to high severity, while the EPSS probability of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The CVE description does not detail a specific attack path; however, stored XSS flaws typically require the attacker to supply input through a content‑editing interface, after which the malicious code is displayed to site visitors. The impact is confined to browsers that render the compromised content and can be mitigated by updating or disabling the plugin, or by applying suitable controls such as a content‑security policy.