The problem is in the file events-manager.js, the variable mapTitle is not escaped.
PROOF OF CONCEPT
Events Manager 18.104.22.168 is vulnerable, probably earlier versions too.
Marcus Sykes, the Events Manager’s developer, fixed the vulnerability on January, 15th, and published a post on his blog about it.
10/01/2018 – I send the report
15/01/2018 – Events Manager is updated to version 22.214.171.124 and the vulnerability is fixed
26/03/2018 – Public disclosure