The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
View the template here CVE-2023-2796.yaml
References:
https://www.wordfence.com/threat-intel/vulnerabilities/id/dba3f3a6-3f55-4f4e-98e4-bb98d9c94bdd