The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.
https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/