Full Path Disclosure Vulnerability in Modern Events Calendar Lite Plugin for WordPress
CVE-2025-5733
What is CVE-2025-5733?
CVE-2025-5733 is a Full Path Disclosure vulnerability found in the Modern Events Calendar Lite plugin for WordPress, affecting all versions up to and including 7.21.9. This plugin is widely used to manage and showcase events on WordPress sites. The vulnerability arises from improper validation of the 'id' property during the calendar export process, allowing unauthenticated attackers to obtain sensitive information about the file structure of the web application. Although the information exposed by this vulnerability might not be immediately damaging, it can serve as a stepping stone for attackers when combined with other vulnerabilities, potentially leading to more severe compromises of the affected website.
Potential impact of CVE-2025-5733
-
Information Disclosure: Attackers can gain insights into the application's file structure, leading to other targeted attacks based on the revealed paths. This can assist in planning further exploitation efforts.
-
Increased Attack Surface: While the full path information alone may not pose a direct risk, it may allow attackers to develop targeted strategies to exploit additional vulnerabilities within the web application, increasing the overall risk profile of the affected system.
-
Potential for Combined Exploits: If an attacker is able to identify and exploit this vulnerability alongside another existing flaw, they could gain unauthorized access to the web application, leading to data breaches or unauthorized data manipulation.
Affected Version(s)
Modern Events Calendar Lite * <= 7.21.9