The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Create/edit a calendar, and put the following payload in the “Additional CSS Class” settings of a field: v < 1.3.55: “><” v < 1.3.56: backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//, frontend: " style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)// The XSS will be triggered in the post/page where the Calendar is embed, as well when accessing the field settings when editing the calendar