{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12192", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T20:31:22.244Z", "datePublished": "2025-11-05T09:27:40.562Z", "dateUpdated": "2026-04-08T17:29:58.824Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:58.824Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.15.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever \"Yes, automatically share my system information with The Events Calendar support team\" setting is enabled."}], "title": "The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-697 Incorrect Comparison", "cweId": "CWE-697", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-10-24T20:47:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-04T21:06:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T15:10:50.799331Z", "id": "CVE-2025-12192", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T15:15:28.224Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12192", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T15:10:50.799331Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T15:10:55.428Z"}}], "cna": {"title": "The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.15.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-24T20:47:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-04T21:06:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar"}], "descriptions": [{"lang": "en", "value": "The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever \"Yes, automatically share my system information with The Events Calendar support team\" setting is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-697", "description": "CWE-697 Incorrect Comparison"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:58.824Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12192", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:58.824Z", "dateReserved": "2025-10-24T20:31:22.244Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T09:27:40.562Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever \"Yes, automatically share my system information with The Events Calendar support team\" setting is enabled."}], "id": "CVE-2025-12192", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-05T10:15:35.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:37:32.255741+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest available update to the Events Calendar plugin.", "If an update is not available or cannot be applied immediately, disable the 'automatically share my system information' option in the plugin settings.", "Ensure WordPress and PHP are running their latest secure releases, and review other plugins for similar information\u2011sharing settings."], "summary": {"action": "Update Plugin", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed StellarWP's The Events Calendar plugin version 6.15.9 or earlier and have the system-information-sharing feature enabled are susceptible. The vulnerability is limited to this particular plugin and affects any user who visits a site running a compromised version, regardless of user role, because the attack does not require authentication.", "description_and_impact": "The vulnerability resides in the Events Calendar plugin for WordPress. A REST endpoint named sysinfo compares the supplied key with the stored opt\u2011in key using a loose equality check. Because of this, an unauthenticated attacker who can send a boolean value can bypass the key check and retrieve the full system report whenever the 'Yes, automatically share my system information with The Events Calendar support team' option is enabled. The disclosed data may include server OS, PHP version, WordPress configuration, active plugins, and other sensitive environment details, compromising confidentiality. This weakness is classified as CWE\u2011697, which denotes non\u2011strict comparison leading to unintended input handling.", "risk_and_exploitability": "The CVSS score of 5.3 places the issue in the medium category. The EPSS score indicates exploitation probability below 1%, suggesting that while the flaw is known, there is currently a low chance of widespread exploitation. The vulnerability is not listed in CISA's KEV catalog. An attacker can exploit this weakness remotely by making an unauthenticated HTTP request to the sysinfo endpoint, sending a boolean payload, and reading the returned system report. No credentials or privileges are needed, and the attack can be performed purely by an automated script, but the low exploitation probability reflects the requirement that the plugin opt\u2011in must be enabled. If enabled, the exposed data can aid discovery of other vulnerabilities within the site."}}}}, "created": "2025-11-06T10:07:19.645251+00:00", "updated": "2026-04-21T18:45:06.078260+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$the_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}