An authenticated user, who can add new events,  can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.

In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.

Vulnerability is fixed in My Calendar 2.5.17.

Proof of Concept: https://www.gubello.me/blog/my-calendar-2-5-16-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=OvoEiJd6ggY