{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12407", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T15:14:06.659Z", "datePublished": "2025-12-12T11:15:51.250Z", "dateUpdated": "2026-04-08T17:14:10.548Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:10.548Z"}, "affected": [{"vendor": "netweblogic", "product": "Events Manager \u2013 Calendar, Bookings, Tickets, and more!", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.2.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Events Manager \u2013 Calendar, Bookings, Tickets, and more! <= 7.2.2.2 - Cross-Site Request Forgery to Location Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a99d0220-38af-40fe-8b9f-af173fc41248?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "thinnawarth mathuros"}], "timeline": [{"time": "2025-10-28T15:29:17.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T21:40:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T14:34:59.551619Z", "id": "CVE-2025-12407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:35:10.640Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T14:34:59.551619Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:35:06.351Z"}}], "cna": {"title": "Events Manager \u2013 Calendar, Bookings, Tickets, and more! <= 7.2.2.2 - Cross-Site Request Forgery to Location Deletion", "credits": [{"lang": "en", "type": "finder", "value": "thinnawarth mathuros"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "netweblogic", "product": "Events Manager \u2013 Calendar, Bookings, Tickets, and more!", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.2.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-28T15:29:17.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T21:40:07.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a99d0220-38af-40fe-8b9f-af173fc41248?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php"}], "descriptions": [{"lang": "en", "value": "The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T11:15:51.250Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12407", "state": "PUBLISHED", "dateUpdated": "2025-12-12T14:35:10.640Z", "dateReserved": "2025-10-28T15:14:06.659Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T11:15:51.250Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12407", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T12:15:44.577", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a99d0220-38af-40fe-8b9f-af173fc41248?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:18:40.537514+00:00", "value": {"mitigation_remediation": ["Update the Events Manager plugin to the latest available version, which restores proper nonce checks for the location_delete action.", "If an immediate update is not feasible, restrict or disable the location_delete functionality for users who do not require event management capabilities, ensuring that only authorized administrators can perform deletions.", "Deploy a CSRF protection plugin or implement server\u2011side checks to enforce nonce validation for all state\u2011changing actions."], "summary": {"action": "Patch", "impact": "Unauthenticated Cross\u2011Site Request Forgery enabling deletion of event locations"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Events Manager \u2013 Calendar, Bookings, Tickets, and more! WordPress plugin for all versions up to and including 7.2.2.2. No other vendors or product versions are noted as impacted.", "description_and_impact": "The plugin suffers from a missing or incorrect nonce validation on the location_delete action, exposing a CSRF flaw (CWE\u2011352). An attacker who tricks an authenticated administrator into visiting a crafted URL can delete event locations without needing any credentials, resulting in data loss and potential disruption of event management functionality.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation requires a social engineering click\u2011through; the attacker sends a forged request that bypasses the missing nonce check, resulting in authorization bypass for the delete operation. There are no indications of additional impact such as remote code execution."}}}}, "created": "2025-12-14T21:16:37.829015+00:00", "updated": "2026-04-21T17:30:37.685507+00:00", "vendors": ["netweblogic", "netweblogic$PRODUCT$events_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}