CVE-2025-12175 — Missing Authorization in THE Events Calendar

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 90.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Stellarwp THE Events Calendar

Timeline

PublishedOct 31

Description

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5stellarwp/the_events_calendar6.15.9

🔴Vulnerability Details

CVEList

The Events Calendar <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure↗2025-10-31

▶

GHSA

GHSA-fgmm-c43r-4vvc: The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX en↗2025-10-31

▶