I was getting some help on our site, and the developer found

a bunch of random PDFs in the WP Event Manager uploads ( /uploads/event-manager-uploads), many of which look like spam (attached). I've never seen these before (they don't get sent for any approval on the regular dashboard), and not sure how they got there. It's clogging up our server. How can we make sure these don't get added in the future?