The vulnerability identified as CVE-2025-12192 affects The Events Calendar plugin for WordPress, versions up to and including 6.15.9. The root cause is an incorrect comparison logic (CWE-697) in the plugin's sysinfo REST endpoint, which compares a provided key to a stored opt-in key using a loose equality check. This loose comparison allows an attacker to send a boolean value (e.g., false or true) instead of the expected key string, bypassing authentication checks. When the plugin's setting "Yes, automatically share my system information with The Events Calendar support team" is enabled, this flaw allows unauthenticated remote attackers to retrieve the full system report. This report may contain sensitive system information that could aid further attacks or reconnaissance. The vulnerability is remotely exploitable without any user interaction or privileges, and it does not impact system integrity or availability, only confidentiality. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation and the limited impact scope. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The flaw stems from improper use of loose comparison operators in PHP, which can cause unexpected truthy or falsy evaluations, a common programming pitfall leading to security issues.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of system information from WordPress sites using The Events Calendar plugin with the affected versions and the opt-in sharing feature enabled. The leaked system report could reveal environment details, software versions, and configuration data, which attackers could leverage for targeted attacks or privilege escalation. Although it does not directly compromise data integrity or availability, the confidentiality breach can facilitate subsequent attacks, increasing overall risk. Organizations handling sensitive or regulated data may face compliance issues if such information is exposed. Public-facing websites, especially those in sectors like government, finance, healthcare, and critical infrastructure, are at higher risk due to their attractiveness to attackers. The moderate CVSS score indicates that while the vulnerability is not critical, it is sufficiently serious to warrant timely remediation to prevent potential exploitation.

European organizations should immediately audit their WordPress installations to identify the use of The Events Calendar plugin and verify the version. If running version 6.15.9 or earlier, they should disable the "Yes, automatically share my system information with The Events Calendar support team" setting to prevent exposure until a patch is available. Applying updates to a fixed version once released is the most effective mitigation. In the absence of an official patch, organizations can implement web application firewall (WAF) rules to block or monitor requests to the sysinfo REST endpoint, especially those containing boolean values in the key parameter. Additionally, restricting access to the REST API endpoints to authenticated users or trusted IP ranges can reduce exposure. Regular security audits and monitoring for unusual access patterns to the sysinfo endpoint can help detect exploitation attempts. Educating site administrators about the risks of enabling automatic system info sharing is also recommended.