Unauthorized Data Modification in Private Google Calendars Plugin for WordPress
CVE-2025-12526

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Private Google Calendars
Vendor: CVE Published:; 11 November 2025

What is CVE-2025-12526?

The Private Google Calendars plugin for WordPress is susceptible to unauthorized data modifications due to a missing capability verification on the 'pgc_remove' action. This flaw affects all versions of the plugin up to and including version 20250811. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to reset critical settings of the plugin, potentially jeopardizing the integrity and functionality of users' calendar data.

Affected Version(s)

Private Google Calendars * <= 20250811

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/private-google-calendars/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 11, 2025
Vulnerability Reserved
Oct 30, 2025

Credit

Athiwat Tiprasaharn

JSON