CVE-2025-12192
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-05

Last updated on: 2025-11-06

Assigner: Wordfence

Description
The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-05
Last Modified
2025-11-06
Generated
2026-06-16
AI Q&A
2025-11-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12192
EUVD
EUVD-2025-37779
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_events_calendar plugin 6.15.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Events Calendar plugin for WordPress has a vulnerability in versions up to 6.15.9 where its sysinfo REST endpoint uses a loose comparison to check a provided key against a stored opt-in key. This allows unauthenticated attackers to send a boolean value and retrieve the full system report if the setting to automatically share system information with The Events Calendar support team is enabled.

Impact Analysis

This vulnerability can lead to information disclosure, allowing attackers without authentication to access detailed system reports. This could expose sensitive system information that might be used for further attacks or reconnaissance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart