{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12526", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-30T16:49:26.458Z", "datePublished": "2025-11-11T03:30:45.346Z", "dateUpdated": "2026-04-08T17:06:40.683Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:40.683Z"}, "affected": [{"vendor": "michielve", "product": "Private Google Calendars", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "20250811", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings."}], "title": "Private Google Calendars <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/900294ef-dedb-49d3-b544-eae64399ea03?source=cve"}, {"url": "https://wordpress.org/plugins/private-google-calendars/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402625%40private-google-calendars&new=3402625%40private-google-calendars&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-11-10T15:11:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:13:50.586681Z", "id": "CVE-2025-12526", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:05:56.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:13:50.586681Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:13:52.445Z"}}], "cna": {"title": "Private Google Calendars <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "michielve", "product": "Private Google Calendars", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "20250811"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:11:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/900294ef-dedb-49d3-b544-eae64399ea03?source=cve"}, {"url": "https://wordpress.org/plugins/private-google-calendars/"}], "descriptions": [{"lang": "en", "value": "The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T03:30:45.346Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12526", "state": "PUBLISHED", "dateUpdated": "2025-11-12T20:05:56.989Z", "dateReserved": "2025-10-30T16:49:26.458Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:45.346Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Private Google Calendars plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pgc_remove' action in all versions up to, and including, 20250811. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings."}], "id": "CVE-2025-12526", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:46.710", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402625%40private-google-calendars&new=3402625%40private-google-calendars&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/private-google-calendars/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/900294ef-dedb-49d3-b544-eae64399ea03?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:44:50.750901+00:00", "value": {"mitigation_remediation": ["Upgrade Private Google Calendars to a version newer than 20250811 that includes the missing capability check.", "If immediate upgrade is not feasible, reduce the privileges of Subscriber users so they cannot access the pgc_remove action, or configure role permissions to restrict this capability to administrators only.", "Monitor plugin settings changes and audit logs for unauthorized resets to detect potential exploitation."], "summary": {"action": "Patch immediately", "impact": "Unauthorized settings reset (authorization bypass)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Private Google Calendars plugin by michielve for WordPress with versions up to and including 20250811. The plugin\u2019s settings reset functionality can be triggered by any user who has at least Subscriber authority within the WordPress site.", "description_and_impact": "The Private Google Calendars plugin for WordPress suffers from a missing capability check on the pgc_remove action, permitting authenticated users with Subscriber-level access or higher to reset the plugin\u2019s settings. This flaw, identified as CWE\u2011862, allows attackers to modify configuration and potentially alter calendar visibility, access, or plugin behavior, thereby compromising the integrity of calendar data and the user experience.", "risk_and_exploitability": "The CVSS score of 4.3 classifies the flaw as moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The threat is not listed in CISA\u2019s KEV catalog. Because the flaw requires an authenticated WordPress user, the attack vector is an internal, authenticated access path where the attacker must be capable of triggering the pgc_remove action. Given the dependency on user credentials and the lack of a public exploitation vector, the overall risk is moderate but exploitation probability remains low."}}}}, "created": "2025-11-12T12:47:59.161664+00:00", "updated": "2026-04-22T12:00:05.916885+00:00", "vendors": ["michielvaneerd", "michielvaneerd$PRODUCT$private_google_calendars", "wordpress", "wordpress$PRODUCT$wordpress"]}