WordPress Plugin Vulnerabilities

The Events Calendar < 6.12.0 - Subscriber+ Import Creation

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the ajax_preview_import() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to create an import.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.12.0

References

CVE
CVE-2025-48246
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe2fd740-b5b5-4a2a-88fc-b19b2f0f6a2b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
domiee13
Verified
No
WPVDB ID
f7e63579-0a8c-4d88-9a9e-6579fb14274d

Timeline

Publicly Published
2025-05-19 (about 11 months ago)
Added
2025-05-30 (about 11 months ago)
Last Updated
2025-05-30 (about 11 months ago)

Other

Published
Title
Published
2024-05-09
Title
MC Woocommerce Wishlist < 1.7.9 - Missing Authorization
Published
2026-02-17
Title
Business Directory Plugin < 6.4.21 - Missing Authorization to Unauthenticated Arbitrary Listing Modification
Published
2022-02-28
Title
miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
Published
2025-12-15
Title
Listdom < 5.1.0 - Missing Authorization
Published
2024-12-30
Title
Hestia Nginx Cache < 2.4.1 - Missing Authorization