Information Exposure Vulnerability in Events Manager Plugin by WordPress
CVE-2025-12408

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Events Manager – Calendar, Bookings, Tickets, And More!
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-12408?

The Events Manager plugin for WordPress is susceptible to an information exposure vulnerability that allows unauthenticated attackers to access sensitive data. This issue arises from inadequate restrictions in the 'get_location' action, enabling unauthorized users to extract information from password-protected, private, or draft event locations. As a result, crucial data that should remain confidential may inadvertently be exposed, emphasizing the need for urgent action to secure affected sites.

Affected Version(s)

Events Manager – Calendar, Bookings, Tickets, and more! * <= 7.2.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3392395/even...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Oct 28, 2025

Credit

thinnawarth mathuros

JSON