The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Create a new calendar with the following Name: <script>alert('XSS')</script>
The XSS will be triggered when editing or publishing the calendar