Cross-Site Request Forgery (CSRF) vulnerability leading to event deletion exists in Spiffy Calendar WordPress plugin (versions <= 4.9.0).
spiffyplugins spiffy calendar