{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15043", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-23T13:25:41.567Z", "datePublished": "2026-01-20T14:26:32.694Z", "dateUpdated": "2026-04-08T16:45:45.352Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:45.352Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.15.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action."}], "title": "The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-12-19T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-23T13:55:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-20T01:45:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T14:50:51.973166Z", "id": "CVE-2025-15043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:51:12.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T14:50:51.973166Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:51:04.136Z"}}], "cna": {"title": "The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.15.13"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-12-23T13:55:07.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-20T01:45:16.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-20T14:26:32.694Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15043", "state": "PUBLISHED", "dateUpdated": "2026-01-20T14:51:12.202Z", "dateReserved": "2025-12-23T13:25:41.567Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-20T14:26:32.694Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action."}, {"lang": "es", "value": "El plugin The Events Calendar para WordPress es vulnerable a acceso no autorizado debido a una comprobaci\u00f3n de capacidad faltante en las funciones 'start_migration', 'cancel_migration' y 'revert_migration' en todas las versiones hasta la 6.15.13, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, inicien, cancelen o reviertan la migraci\u00f3n de la base de datos Custom Tables V1, incluyendo la eliminaci\u00f3n completa de las tablas de base de datos personalizadas a trav\u00e9s de la acci\u00f3n de reversi\u00f3n."}], "id": "CVE-2025-15043", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-20T15:16:15.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:15:20.539935+00:00", "value": {"mitigation_remediation": ["Apply the plugin update to version 6.15.13.1 or later to restore proper capability checks.", "Reevaluate subscriber role permissions to remove any capability to trigger migration functions and limit access to staff or higher roles only.", "If an update cannot be applied immediately, block the migration endpoints (for example, /wp-admin/admin-ajax.php?action=start_migration, cancel_migration, or revert_migration) for subscriber and lower roles using a web application firewall or server rule until the patch is in place."], "summary": {"action": "Patch immediately", "impact": "Unauthorized control of database migration processes"}, "threat_synthesis": {"affected_systems": "StellarWP The Events Calendar plugin for WordPress versions 6.15.13 and earlier.", "description_and_impact": "The Events Calendar plugin for WordPress contains a missing capability check on the start_migration, cancel_migration, and revert_migration functions in all versions up to and including 6.15.13. This flaw allows an authenticated user with a subscriber role or higher to start, cancel, or revert a Custom Tables V1 database migration. The revert action can drop the custom database tables entirely, resulting in loss of event data. This represents an authorization issue (CWE\u2011862) that could compromise data integrity and availability for users who rely on the plugin's migration features.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 5.4, indicating a moderate risk, while the EPSS score is below 1%, suggesting the likelihood of exploitation is low. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated subscriber or higher, implying that the attack vector is limited to users with legitimate access to the WordPress site. If such a user abuses the missing authorization check, they can execute migration controls that may delete event data, but prevent broader compromise beyond the plugin's scope."}}}}, "created": "2026-01-21T11:19:28.896672+00:00", "updated": "2026-04-21T16:15:40.510305+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$the_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}