The Jetpack Carousel module allows users to create a "carousel" type image gallery and allows users to comment on the images.
A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.
Please refer to the Proof of Concept (PoC) of this vulnerability for further technical details.
Proof of Concept
By changing the "id" parameter of the POST request to a valid media attachment id on a page/post that was not public, it was possible to leak the non-public comments.