The “Events Calendar” tool for WordPress has a security flaw that allows unauthorized users to gain access. This is because the plugin does not check for proper permissions when using the ajax_preview_import() function, in versions 6.11.2.1 and below. This means that attackers who are logged in with subscriber-level access or higher can create an import without proper authorization.