Event Manager and Tickets Selling Plugin for WooCommerce < 3.8.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Proof of Concept
1. Add an event in the plugin with a city meta as: " onmouseover="alert(1)"
2. On a new page, add the [event-list] shortcode.
3. Hover the mouse on the content displayed by shortcode to trigger the XSS.
Dependency: WooCommerce plugin.