WordPress Plugin Vulnerabilities

The Events Calendar < 6.15.10 - Subscriber+ Draft Event Title/QR Code Exposure

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.15.10

References

CVE
CVE-2025-12175
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ab844a05-80e0-42c7-981c-dea3a18cf4d5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No
WPVDB ID
5a63c85f-2298-4f75-aa0e-1250693d341f

Timeline

Publicly Published
2025-10-30 (about 6 months ago)
Added
2025-10-31 (about 6 months ago)
Last Updated
2025-10-31 (about 6 months ago)

Other

Published
Title
Published
2026-01-27
Title
Leadpages < 1.1.4 - Missing Authorization
Published
2025-04-04
Title
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
Published
2023-10-06
Title
Contact Form builder with drag & drop - Kali Forms < 2.3.29 - Missing Authorization via get_log
Published
2025-08-15
Title
Al Pack < 1.1.2 - Missing Authorization to Unauthenticated Premium Feature Activation via check_activate_permission Function
Published
2025-01-07
Title
Ultimate Gift Cards for WooCommerce <= 3.0.6 - Missing Authorization to Infinite Money Glitch