CVE-2025-12192

Summary

The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.

Affected Software

VendorProductVersion RangeStatus
stellarwpThe Events Calendar0 <= 6.15.9affected

Weaknesses

  • CWE-697: CWE-697 Incorrect Comparison

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References