CVE-2025-12175
BaseFortify
Publication date: 2025-10-31
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moderntribe | the_events_calendar | 6.15.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in The Events Calendar WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass authorization checks on the 'tec_qr_code_modal' AJAX endpoint. Due to a missing capability check, these users can view draft event names and generate or view QR codes for those drafts, which they normally should not have access to.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of draft event information, potentially exposing sensitive or unpublished event details to users who should not see them. This could result in information leakage and privacy concerns, especially if draft events contain confidential or sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the 'tec_qr_code_modal' AJAX endpoint is accessible without proper capability checks by authenticated users with Subscriber-level access or higher. You can test this by logging in as a Subscriber and attempting to access the AJAX endpoint related to 'tec_qr_code_modal' to see if draft event names and QR codes can be viewed or generated. Specific commands are not provided in the resources, but a practical approach would be to use tools like curl or browser developer tools to send authenticated AJAX requests to the endpoint and observe the responses.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the The Events Calendar plugin to version 6.15.10 or later, where security enhancements have been introduced. These include nonce verification to prevent CSRF attacks and capability checks to ensure only authorized users can access the 'tec_qr_code_modal' AJAX endpoint. If updating immediately is not possible, restrict access to the AJAX endpoint or limit Subscriber-level user capabilities until the update can be applied. [2]