The events-manager plugin prior to 5.3.6.1 for WordPress has XSS via the booking form and admin areas.
wp-events-plugin events manager