5.3

CVE-2025-12192

The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure

The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure

The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.
Mögliche Gegenmaßnahme
The Events Calendar: Update to version 6.15.10, or a newer patched version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerstellarwp
Produkt The Events Calendar
Default Statusunaffected
Version <= 6.15.9
Version 0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt The Events Calendar
Version *-6.15.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.133
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-697 Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar
https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/e5f3feb7-547e-4c01-8453-a1fc207ee009
Third Party Advisory