WordPress Plugin Vulnerabilities

Pretty Google Calendar < 2.0.1 - Missing Authorization to Unauthenticated Google API Key Exposure

Description

The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.

Affects Plugins

Plugin icon
pretty-google-calendar
Fixed in 2.0.1

References

CVE
CVE-2025-12898
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c15924-d430-48e3-9804-fa83605b9c24

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ahmad Salem (a7mad.cc)
Verified
No
WPVDB ID
c2327d28-1820-451d-a954-82a654f0a57e

Timeline

Publicly Published
2025-12-19 (about 5 months ago)
Added
2025-12-19 (about 5 months ago)
Last Updated
2026-01-06 (about 4 months ago)

Other

Published
Title
Published
2025-12-31
Title
Export Categories & Taxonomies <= 1.0.3 - Missing Authorization
Published
2024-05-03
Title
ShopLentor (formerly WooLentor) < 2.8.8 - Missing Authorization
Published
2025-10-14
Title
eMember <= 10.2.2 - Missing Authorization
Published
2024-01-02
Title
Easy Social Feed < 6.5.3 - Subscriber+ Settings Update
Published
2024-04-16
Title
ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.4 - Missing Authorization