The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks
1. Create an event page using the plugin.
2. Access the page using an account with Subscriber role.
3. In the 'User notes' section, inject the following XSS payload: `<img src=q onerror=prompt(/XSS/)>`