CVE-2025-12408
Unknown Unknown - Not Provided
Information Exposure in Events Manager Plugin Allows Data Leak

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12408
EUVD
EUVD-2025-203078
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress events_manager *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access location data from password protected, private, or draft event locations that should not be accessible. This unauthorized exposure of potentially sensitive information could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal or sensitive data. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations.

Executive Summary

This vulnerability in the Events Manager WordPress plugin allows unauthenticated attackers to exploit insufficient restrictions on the 'get_location' action. They can extract data from event locations that are password protected, private, or in draft status, which they should not have access to. Essentially, the plugin does not properly restrict access to sensitive location data, leading to information exposure.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive location information related to events, including those that are meant to be private or protected. This could expose confidential event details to attackers without authentication, potentially compromising privacy and security of event organizers and attendees.

Detection Guidance

You can detect this vulnerability by monitoring AJAX requests to the WordPress plugin's 'get_location' action. Specifically, look for unauthenticated HTTP requests that include the 'action=get_location' parameter and an 'id' parameter targeting the Events Manager plugin. Using tools like curl or wget, you can attempt to query the endpoint to see if location data from private, password protected, or draft events is exposed without authentication. For example, a command like: curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' -d 'action=get_location&id=LOCATION_ID' can be used to test if unauthorized location data is returned. If sensitive location data is returned without authentication, the system is vulnerable. [2]

Mitigation Strategies

The immediate mitigation step is to update the Events Manager plugin to a version later than 7.2.2.2 where stricter access control checks have been implemented. The update enforces that location data is only returned if the location status is active and the associated post is publicly viewable or the user is authenticated with appropriate permissions. Until the update is applied, restrict access to the AJAX endpoint or disable the 'get_location' action if possible to prevent unauthorized data exposure. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart