WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the ‘from’ and ‘to’ parameters of the ‘/my-calendar/v1/events’ REST route.
View the template here CVE-2023-6360.yaml
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-6360