The problem is in the file events-manager.js, the variable mapTitle is not escaped.
PROOF OF CONCEPT
Events Manager 184.108.40.206 is vulnerable, probably earlier versions too.
Marcus Sykes, the Events Manager’s developer, fixed the vulnerability on January, 15th, and published a post on his blog about it.
10/01/2018 – I send the report
15/01/2018 – Events Manager is updated to version 220.127.116.11 and the vulnerability is fixed
26/03/2018 – Public disclosure