The plugin does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
As a contributor, create/edit an Event, add the following payload in a "Hourly Schedule" title, as well as any of the "hourly schedule row" fields (ie from, to, title and description): <script>alert(/XSS/)</script>
The XSS will be triggered when viewing/previewing the event
By using a payload such as "><script>alert(/XSS/)</script> in the Hourly Schedule title field, an XSS can also be triggered when editing the Event again (as long as the event hasn’t been viewed/previewed yet)