CVE-2025-15043 MEDIUM

CVE-2025-15043: The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control

Vendor Stellarwp
Product The Events Calendar
Weakness CWE-862 · Missing authorization
Published January 20, 2026
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.

Explanation of Vulnerability in Simple Terms

02Summary

The Events Calendar for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify or delete event data they should not have access to. The vulnerability affects versions up to 6.15.13. An attacker needs a valid WordPress account to exploit it, but no special privileges or user interaction is required. Site administrators should update to a version newer than 6.15.13.

What an attacker can do

03Attacker Capabilities

Modify or delete events without proper authorization checks.

Potential impact on your site

04Site Impact

Unauthorized users can alter or remove calendar events, disrupting event management and site functionality.

Conditions required to exploit

05Prerequisites

Valid WordPress user account with low-level privileges; network access to the site.

Key dates

06Disclosure timeline

January 20, 2026 CVE published
April 8, 2026 Record updated