The plugin does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
Create a new Calendar (Appointment Hour Booking > Add new)
Put the following payload in the Form Settings > "Form Name" and "Description" fields: <img src onerror=alert(/XSS/)>
Click the "Save Changed and Return" button
The XSS will be triggered
- When editing the calendar again in the admin dashboard
- In posts/page where the calendar is embed