Share
## https://sploitus.com/exploit?id=WPEX-ID:5904DC7E-1058-4C40-BCA3-66BA57B1414B
1. ADMIN: Install Event Tickets
2. ADMIN: Install Event Tickets Plus
3. ADMIN: Create pages with each status: published, private, password-protected, draft, and trashed and add one RSVP that has an end sale date of 1 week from now
4. ADMIN: Go to those pages and RSVP for each one as the currently logged in admin (the trashed post will need to be trashed after you add the RSVP)
5. CONTRIBUTOR: Add shortcode to any post and specify/guess the page ID and save
6. CONTRIBUTOR: Preview the post and see all attendees for pages (of any status) you shouldn't have access to (NOTE: Attendee list shortcode will only output on the first occurrence so you may need to modify the page ID you reference for each of your tests)

Example shortcode: `[tribe_attendees_list event="ANY_PAGE_ID"]`