An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event. The problem is in the file events-manager.js, the variable mapTitle is not escaped. 15/01/2018 – Events Manager is updated to version 5.8.1.2 and the vulnerability is fixed