CVE-2025-12192: CWE-697 Incorrect Comparison in stellarwp The Events Calendar
The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.
AI Analysis
Technical Summary
CVE-2025-12192 is an information disclosure vulnerability in the The Events Calendar WordPress plugin caused by CWE-697 (Incorrect Comparison). The sysinfo REST endpoint compares a provided key to a stored opt-in key using a loose comparison, which can be bypassed by sending a boolean value. This allows unauthenticated attackers to retrieve the full system report when the automatic system information sharing setting is enabled. The vulnerability affects versions up to and including 6.15.9.
Potential Impact
An unauthenticated attacker can obtain sensitive system information from the affected WordPress site if the automatic system information sharing setting is enabled. This information disclosure could aid attackers in further reconnaissance but does not directly impact integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, consider disabling the automatic system information sharing setting in The Events Calendar plugin to prevent exposure of system reports. Monitor vendor channels for updates and apply official fixes once released.
CVE-2025-12192: CWE-697 Incorrect Comparison in stellarwp The Events Calendar
Description
The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever "Yes, automatically share my system information with The Events Calendar support team" setting is enabled.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12192 is an information disclosure vulnerability in the The Events Calendar WordPress plugin caused by CWE-697 (Incorrect Comparison). The sysinfo REST endpoint compares a provided key to a stored opt-in key using a loose comparison, which can be bypassed by sending a boolean value. This allows unauthenticated attackers to retrieve the full system report when the automatic system information sharing setting is enabled. The vulnerability affects versions up to and including 6.15.9.
Potential Impact
An unauthenticated attacker can obtain sensitive system information from the affected WordPress site if the automatic system information sharing setting is enabled. This information disclosure could aid attackers in further reconnaissance but does not directly impact integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, consider disabling the automatic system information sharing setting in The Events Calendar plugin to prevent exposure of system reports. Monitor vendor channels for updates and apply official fixes once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-24T20:31:22.244Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690b1bd197eccd907387bdc2
Added to database: 11/5/2025, 9:41:37 AM
Last enriched: 4/9/2026, 9:17:49 AM
Last updated: 5/10/2026, 3:46:49 AM
Views: 219
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.