WordPress Plugin Vulnerabilities

The Events Calendar < 6.15.13.1 - Subscriber+ Data Migration Control

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions . This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.15.13.1

References

CVE
CVE-2025-15043
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
type5afe
Verified
No
WPVDB ID
cdbdd5b8-df44-4949-bf4e-6ac8cf01a07b

Timeline

Publicly Published
2026-01-20 (about 3 months ago)
Added
2026-01-20 (about 3 months ago)
Last Updated
2026-01-20 (about 3 months ago)

Other

Published
Title
Published
2024-04-12
Title
Pardot < 2.1.1 - Missing Authorization
Published
2026-04-27
Title
SureForms Pro < 2.8.1 - Missing Authorization
Published
2025-09-22
Title
SALESmanago < 3.8.2 - Missing Authorization
Published
2024-06-27
Title
Progress Planner < 0.9.2 - Missing Authorization
Published
2024-12-30
Title
Ashe Extra < 1.3 - Missing Authorization