{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12175", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T15:51:30.105Z", "datePublished": "2025-10-31T08:25:54.534Z", "dateUpdated": "2026-04-08T17:14:38.610Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:38.610Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.15.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them."}], "title": "The Events Calendar <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab844a05-80e0-42c7-981c-dea3a18cf4d5?source=cve"}, {"url": "https://github.com/the-events-calendar/the-events-calendar/blob/main/src/Events/QR/QR_Code.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar/tags/6.15.10/src/Events/QR/QR_Code.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-10-24T16:06:37.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-30T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-31T17:48:26.743617Z", "id": "CVE-2025-12175", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T17:48:37.987Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12175", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-31T17:48:26.743617Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T17:48:31.911Z"}}], "cna": {"title": "The Events Calendar <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.15.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-24T16:06:37.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-30T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab844a05-80e0-42c7-981c-dea3a18cf4d5?source=cve"}, {"url": "https://github.com/the-events-calendar/the-events-calendar/blob/main/src/Events/QR/QR_Code.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar/tags/6.15.10/src/Events/QR/QR_Code.php"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:38.610Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12175", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:38.610Z", "dateReserved": "2025-10-24T15:51:30.105Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-31T08:25:54.534Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them."}], "id": "CVE-2025-12175", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-31T09:15:46.547", "references": [{"source": "security@wordfence.com", "url": "https://github.com/the-events-calendar/the-events-calendar/blob/main/src/Events/QR/QR_Code.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar/tags/6.15.10/src/Events/QR/QR_Code.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab844a05-80e0-42c7-981c-dea3a18cf4d5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:00:13.167739+00:00", "value": {"mitigation_remediation": ["Update the plugin to version 6.15.10 or later, which removes the missing capability check on the AJAX endpoint.", "If an immediate update is not possible, add an administrative capability check to the tec_qr_code_modal endpoint or disable the QR code feature via a plugin filter so only admins can use it.", "Monitor WordPress REST API and AJAX logs for tec_qr_code_modal calls from non-administrator roles and block such requests if they continue to occur."], "summary": {"action": "Assess Impact", "impact": "Unauthorized access to draft event titles and QR codes"}, "threat_synthesis": {"affected_systems": "All versions of the Events Calendar plugin by StellarWP up to and including 6.15.9 are affected. Any WordPress installation that uses a vulnerable version of this plugin is at risk of exposing unpublished event data to authenticated users.", "description_and_impact": "The Events Calendar plugin for WordPress allows authenticated users with Subscriber-level access and above to access the tec_qr_code_modal AJAX endpoint without performing a capability check. This flaw enables the viewing of draft event names and the generation or viewing of QR codes for those drafts, exposing sensitive event details. The impact is a confidentiality breach of unpublished event information, but it does not provide code execution or data modification capabilities.", "risk_and_exploitability": "The CVSS score of 4.3 classifies the vulnerability as medium severity. The EPSS score of less than 1% suggests the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need a valid WordPress account with at least Subscriber role to send requests to the tec_qr_code_modal endpoint and read the returned data. No additional privileges or network access are required beyond the normal authentication process."}}}}, "created": "2025-11-03T10:45:04.489729+00:00", "updated": "2026-04-21T02:15:06.514029+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$the_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}