The problem is in the file events-manager.js, the variable mapTitle is not escaped.
PROOF OF CONCEPT
Events Manager 220.127.116.11 is vulnerable, probably earlier versions too.
Marcus Sykes, the Events Manager’s developer, fixed the vulnerability on January, 15th, and published a post on his blog about it.
10/01/2018 – I send the report
15/01/2018 – Events Manager is updated to version 18.104.22.168 and the vulnerability is fixed
26/03/2018 – Public disclosure