Medium Published: Dec 12, 2025

CVE-2025-12408

5.3 CVSS Score Medium

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Export:

Link copied!

Description

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.

CVSS Vector Details

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity None

Availability None

Weaknesses (CWE)

CWE-200

References & External Links

https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/8470b7be-6fae-4941-b523-93e230366522?source=cve

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker