Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-9808Sensitive Information Exposure in THE Events Calendar

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
1.2%
top 21.47%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Stellarwp THE Events Calendar
Timeline
PublishedSep 16

Description

The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure2025-09-16
GHSA
GHSA-pq4v-w885-w9qq: The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 62025-09-16

💥Exploits & PoCs

1
Nuclei
The Events Calendar <= 6.15.2 - Information Disclosure
CVE-2025-9808 — Sensitive Information Exposure | cvebase