The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings values in the admin panel.