CVE-2025-12192 MEDIUM

CVE-2025-12192: The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure

Vendor Stellarwp
Product The Events Calendar
Weakness CWE-697
Published November 5, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.

Explanation of Vulnerability in Simple Terms

02Summary

The Events Calendar versions 6.15.9 and earlier contain an information disclosure vulnerability. An attacker on the network can read sensitive data without authentication or user interaction. The vulnerability affects how the plugin handles data access controls, potentially exposing event information or other site data to unauthorized parties.

What an attacker can do

03Attacker Capabilities

Read sensitive event data or other information without logging in.

Potential impact on your site

04Site Impact

Unauthorized visitors may access private event details or other confidential information stored by the plugin.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 5, 2025 CVE published
April 8, 2026 Record updated