The problem is in the file events-manager.js, the variable mapTitle is not escaped.
PROOF OF CONCEPT
Events Manager 188.8.131.52 is vulnerable, probably earlier versions too.
Marcus Sykes, the Events Manager’s developer, fixed the vulnerability on January, 15th, and published a post on his blog about it.
10/01/2018 – I send the report
15/01/2018 – Events Manager is updated to version 184.108.40.206 and the vulnerability is fixed
26/03/2018 – Public disclosure