What the vulnerability does
01Description
The Modern Events Calendar Lite plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 7.21.9. This is due improper or insufficient validation of the id property when exporting calendars. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Explanation of Vulnerability in Simple Terms
02Summary
Modern Events Calendar Lite versions up to 7.21.9 expose sensitive information through improper access controls. An unauthenticated attacker can read non-public data by making direct requests to the application. No user interaction or special privileges are required. Site administrators should update to a version newer than 7.21.9.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the calendar without authentication.
Potential impact on your site
04Site Impact
Confidential event data or user information may be exposed to unauthenticated visitors.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 6, 2025
CVE published
April 8, 2026
Record updated