WordPress Plugin Vulnerabilities

The Events Calendar < 6.15.10 - Unauthenticated Sensitive Information Exposure

Description

The pluign is vulnerable to information disclosure. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.15.10

References

CVE
CVE-2025-12192
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
8d5f17b5-ae90-4153-b4b0-7762ace57b74

Timeline

Publicly Published
2025-11-04 (about 6 months ago)
Added
2025-11-05 (about 6 months ago)
Last Updated
2025-11-05 (about 6 months ago)

Other

Published
Title
Published
2024-12-11
Title
Vimeography < 2.4.5 - Sensitive Information Exposure
Published
2025-09-15
Title
Atarim < 4.2.2 - Unauthenticated Information Exposure
Published
2024-02-02
Title
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via API
Published
2024-03-26
Title
VK All in One Expansion Unit < 9.96.0.0 - Unauthenticated Password Protected Content Access
Published
2024-02-07
Title
PPWP – Password Protect Pages < 1.9.0 - Protection Mechanism Bypass