The events-manager plugin prior to 5.3.9 for WordPress has XSS in the search form field.
wp-events-plugin events manager