The plugin does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Add/Edit a Custom Field (/wp-admin/admin.php?page=eme-formfields) and put the following payload in the Field Name: a The XSS will be triggered when accessing some pages like Custom Field, Pending Bookings, Approved Bookings