When booking an appointment, either as unauthenticated or any authenticated user, put the following payload in the First Name field: test" onfocus=alert('XSS')

The payload will be triggered when an admin will access the appointment via the 'Calendar' page

Edit (WPScanTeam): Payload w/o user interaction other than accessing the calendar page: " style="animation-name:rotation" onanimationstart="alert(/XSS/)//