The Events Calendar plugin for WordPress has a security issue known as Stored Cross-Site Scripting. This means that hackers can insert harmful scripts into the plugin’s Event Calendar Link Widget, which can then be executed whenever a user accesses the infected page. This vulnerability exists in all versions up to 6.9.0 and can be used by attackers with Contributor-level access or higher.