CVE-2025-12192 is a vulnerability identified in The Events Calendar plugin for WordPress, affecting all versions up to and including 6.15.9. The root cause is an incorrect comparison operation (CWE-697) in the sysinfo REST API endpoint, where the plugin compares a provided key to a stored opt-in key using a loose comparison rather than a strict one. This flaw allows an unauthenticated attacker to bypass the intended authentication mechanism by submitting a boolean value (e.g., true or false) instead of the actual key. When the plugin's setting "Yes, automatically share my system information with The Events Calendar support team" is enabled, this bypass grants the attacker access to the full system report. The system report can contain sensitive information about the server environment, plugin configurations, and potentially other metadata that could aid further attacks or reconnaissance. The vulnerability is remotely exploitable without requiring any privileges or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the confidentiality impact and ease of exploitation, but no impact on integrity or availability. No public exploits have been reported yet, and no patches are currently linked, indicating that users should be vigilant and apply updates once available. The vulnerability highlights the importance of strict comparison checks in authentication logic, especially in REST API endpoints that expose system information.

For European organizations, the primary impact is unauthorized disclosure of system information that could facilitate further targeted attacks or exploitation. While the vulnerability does not directly compromise data integrity or availability, the leaked system report may include sensitive details such as server configurations, installed plugins, versions, and environment variables. This information can be leveraged by attackers to identify additional vulnerabilities or misconfigurations. Organizations using The Events Calendar plugin on WordPress sites with the affected versions and with the opt-in system information sharing enabled are at risk. This is particularly concerning for organizations that host critical services or handle sensitive data via WordPress, as attackers could use the disclosed information for reconnaissance or to craft more effective attacks. The vulnerability's ease of exploitation without authentication or user interaction increases the exposure. Given the widespread use of WordPress and The Events Calendar plugin in Europe, especially among SMEs and event management entities, the potential for information leakage is significant. However, the impact remains limited to confidentiality and does not directly cause service disruption or data modification.

European organizations should take immediate steps to mitigate this vulnerability. First, disable the "Yes, automatically share my system information with The Events Calendar support team" setting in the plugin configuration to prevent exposure of system reports. Second, monitor for updates from the vendor (stellarwp) and apply patches as soon as they are released to fix the loose comparison flaw. Third, implement web application firewall (WAF) rules to detect and block suspicious requests to the sysinfo REST endpoint, especially those containing boolean values in the key parameter. Fourth, conduct regular audits of WordPress plugins to ensure only necessary plugins are active and updated. Fifth, restrict access to REST API endpoints where possible, using authentication or IP whitelisting, to reduce exposure. Finally, educate site administrators about the risks of enabling automatic system information sharing and encourage minimal data exposure. These steps go beyond generic advice by focusing on configuration changes, proactive monitoring, and access controls specific to this vulnerability.