The events-manager plugin prior to 5.5.2 for WordPress has XSS in the booking form.
wp-events-plugin events manager