The vulnerability identified as CVE-2025-12175 affects the popular WordPress plugin The Events Calendar developed by stellarwp. The root cause is a missing capability check (CWE-862) on the AJAX endpoint 'tec_qr_code_modal', which is responsible for generating and displaying QR codes related to events. This endpoint fails to verify if the authenticated user has sufficient privileges to access draft event data. As a result, any authenticated user with Subscriber-level permissions or higher can invoke this endpoint to view draft event names and generate QR codes for those drafts, which are normally restricted to higher privilege roles such as Editors or Administrators. The flaw affects all versions up to and including 6.15.9. The vulnerability has a CVSS 3.1 base score of 4.3, reflecting low complexity of exploitation (network vector, low attack complexity, privileges required but no user interaction). The impact is limited to confidentiality as it exposes unpublished event data but does not allow modification or disruption of service. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability was reserved and published in late October 2025 by Wordfence. This issue highlights the importance of proper authorization checks on AJAX endpoints that handle sensitive or draft content in WordPress plugins.

The primary impact of CVE-2025-12175 is unauthorized disclosure of unpublished event information, which could lead to privacy violations or premature exposure of sensitive organizational plans. For organizations relying on The Events Calendar plugin, this could result in reputational damage if confidential event details are leaked. Although the vulnerability does not allow data modification or denial of service, the exposure of draft event names and QR codes could be leveraged by attackers for social engineering or reconnaissance. The risk is particularly relevant for organizations that manage sensitive or private events, such as corporations, government agencies, or event organizers. Since the vulnerability requires only Subscriber-level authentication, it lowers the barrier for exploitation by insiders or compromised low-privilege accounts. However, the lack of known exploits in the wild suggests limited active targeting so far. Overall, the impact is moderate but significant enough to warrant prompt mitigation to protect confidentiality.

To mitigate CVE-2025-12175, organizations should first check for and apply any official patches or updates from stellarwp as soon as they become available. In the absence of a patch, administrators can implement the following specific measures: 1) Restrict Subscriber-level users from accessing the AJAX endpoint by customizing WordPress capability checks or using security plugins to enforce stricter access controls on 'tec_qr_code_modal'. 2) Audit user roles and permissions to ensure that only trusted users have Subscriber or higher access, minimizing the risk of insider exploitation. 3) Employ web application firewalls (WAFs) to monitor and block suspicious AJAX requests targeting this endpoint. 4) Review event content sensitivity and consider limiting draft event creation to higher privilege roles. 5) Monitor logs for unusual access patterns to the AJAX endpoint that could indicate exploitation attempts. 6) Educate site administrators about the risk and encourage timely updates of all plugins. These targeted steps go beyond generic advice by focusing on controlling access to the vulnerable endpoint and minimizing exposure until a patch is released.