The plugin does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
As unauthenticated, book an Event, and put the following payload in the Buyer Info First or Last Name: The XSS will be triggered when admin view the Orders page in the admin dashboard (/wp-admin/edit.php?post_type=tc_orders) https://www.youtube.com/watch?v=AGs6WqI4VAg