CVE-2025-12192 — Incorrect Comparison in THE Events Calendar

CWE-697 — Incorrect Comparison3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 79.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Stellarwp THE Events Calendar
Timeline
PublishedNov 5

Description

The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

â–¶CVEListV5stellarwp/the_events_calendar6.15.9

🔴Vulnerability Details

2
GHSA
GHSA-7r77-r49w-qf55: The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6↗2025-11-05
â–¶
CVEList
The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure↗2025-11-05
â–¶
CVE-2025-12192 — Incorrect Comparison | cvebase