CVE-2025-12192

MEDIUM

The Events Calendar <6.15.9 - Info Disclosure

Title source: llm

Description

The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.

References (2)

[Product] https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009?source=cve

Scores

CVSS v3 5.3

EPSS 0.0007

EPSS Percentile 20.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-697

Status published

Products (1)

stellarwp/The Events Calendar < 6.15.9

Published Nov 05, 2025

Tracked Since Feb 18, 2026