The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue
https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.php#L550
/wp-admin/admin.php?page=advanced-booking-calendar-show-settings&setting=licenseKeyError&message=<script>alert(123)</script>