The vulnerability identified as CVE-2025-12175 affects The Events Calendar plugin for WordPress, developed by stellarwp, specifically versions up to and including 6.15.9. The root cause is a missing authorization check (CWE-862) on the AJAX endpoint 'tec_qr_code_modal'. This endpoint is intended to generate and display QR codes related to events managed by the plugin. However, due to the lack of proper capability verification, any authenticated user with at least Subscriber-level permissions can invoke this endpoint. Consequently, these users can access draft event names and generate or view QR codes for events that have not yet been published. The vulnerability does not allow attackers to modify event data or affect the availability of the plugin or site. The CVSS v3.1 base score is 4.3, indicating a medium severity primarily due to confidentiality impact. The attack vector is network-based (remote), with low attack complexity and requiring low privileges but no user interaction. No known exploits have been reported in the wild as of the publication date. The vulnerability could lead to unauthorized disclosure of sensitive or confidential event information, which might be used for social engineering or competitive intelligence. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

For European organizations, especially those relying on WordPress and The Events Calendar plugin for managing events, this vulnerability poses a risk of unauthorized disclosure of draft event information. This could expose sensitive business plans, marketing campaigns, or confidential event details to low-privilege users, including internal users or compromised accounts. Although the impact on integrity and availability is negligible, the confidentiality breach could facilitate further targeted attacks such as phishing or corporate espionage. Organizations in sectors like event management, media, education, and government that use this plugin extensively may face reputational damage or loss of competitive advantage. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by strong access controls, but insider threats or compromised subscriber accounts remain a concern. The absence of known exploits reduces immediate risk but does not eliminate the potential for future exploitation.

1. Monitor for official patches or updates from stellarwp and apply them promptly once released. 2. Until a patch is available, implement custom access controls to restrict access to the 'tec_qr_code_modal' AJAX endpoint, for example, by modifying plugin code or using WordPress hooks to enforce capability checks. 3. Use a Web Application Firewall (WAF) to block or monitor suspicious AJAX requests targeting this endpoint, especially from low-privilege users. 4. Review and tighten user role assignments to limit Subscriber-level access only to trusted users. 5. Conduct internal audits to identify any unauthorized access or data leakage related to draft events. 6. Educate users about the risks of account compromise and enforce strong authentication mechanisms such as MFA to reduce the risk of unauthorized access. 7. Consider temporarily disabling the plugin if the risk outweighs the operational need until a patch is available.