CVE-2025-12192 is a vulnerability identified in The Events Calendar plugin for WordPress, specifically in versions up to and including 6.15.9. The flaw stems from an incorrect comparison operation (CWE-697) in the sysinfo REST API endpoint, where the plugin compares a provided key to a stored opt-in key using a loose comparison method. This improper comparison allows an attacker to bypass authentication by submitting a boolean value (e.g., true) instead of the expected key string. When the affected setting "Yes, automatically share my system information with The Events Calendar support team" is enabled, this flaw permits unauthenticated remote attackers to retrieve the full system report. The system report may contain sensitive environment details such as server configuration, software versions, and potentially other diagnostic information that could aid further attacks. The vulnerability does not require any privileges or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the limited impact on confidentiality without affecting integrity or availability. No patches or exploits are currently publicly available, but the issue is officially published and tracked. This vulnerability highlights the risk of improper input validation and comparison logic in REST API endpoints, especially when handling sensitive diagnostic data.

The primary impact of CVE-2025-12192 is unauthorized disclosure of sensitive system information from WordPress sites using The Events Calendar plugin with the affected versions and the opt-in system info sharing enabled. Attackers can remotely obtain detailed system reports without authentication, which may include server environment details, software versions, and configuration data. This information leakage can facilitate reconnaissance for further targeted attacks such as privilege escalation, exploitation of other vulnerabilities, or social engineering. While the vulnerability does not directly compromise data integrity or availability, the exposure of internal system details increases the overall attack surface and risk profile of affected organizations. Small to large organizations relying on WordPress for event management and using this plugin are at risk, especially those with sensitive or regulated data. The vulnerability could also erode trust in affected websites if exploited. Since exploitation requires no user interaction or privileges, the attack vector is broad and can be automated by attackers scanning for vulnerable sites.

1. Immediately disable the "Yes, automatically share my system information with The Events Calendar support team" setting in the plugin configuration to prevent exposure of system reports until a patch is available. 2. Monitor official communications from StellarWP and The Events Calendar plugin developers for security updates and apply patches promptly once released. 3. Implement Web Application Firewall (WAF) rules to restrict or block access to the sysinfo REST endpoint (/wp-json/tribe/events/v1/sysinfo) from untrusted sources. 4. Conduct regular security audits of WordPress plugins and remove or replace those that are no longer maintained or have known vulnerabilities. 5. Limit exposure of REST API endpoints by restricting access to authenticated users where possible or using IP whitelisting for administrative endpoints. 6. Educate site administrators about the risks of enabling diagnostic data sharing features and encourage minimal exposure of sensitive information. 7. Employ security monitoring to detect unusual or unauthorized access patterns to REST API endpoints.