The plugin does not properly sanitize values used when creating new calendars.
Proof of Concept
* Open the Appointment Hour Booking Tab.
* Enter XSS payload like "><script>alert(document.location)</script> in new calendar name field. and click on "add new" button.
* Go back to the Appointment Hour Booking Tab and select "Publish" for any calendar.
* The XSS payload will trigger on this page.