The problem is in the file events-manager.js, the variable mapTitle is not escaped.
PROOF OF CONCEPT
Events Manager 126.96.36.199 is vulnerable, probably earlier versions too.
Marcus Sykes, the Events Manager’s developer, fixed the vulnerability on January, 15th, and published a post on his blog about it.
10/01/2018 – I send the report
15/01/2018 – Events Manager is updated to version 188.8.131.52 and the vulnerability is fixed
26/03/2018 – Public disclosure