Spiffy Calendar < 4.9.1 - Subscriber+ Arbitrary Event Edition/Deletion via IDOR

The plugin does not check that an event belongs to the user editing/deleting it, allowing any authenticated users to delete arbitrary one via an IDOR attack