CVE-2025-12408 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the 'Events Manager – Calendar, Bookings, Tickets, and more!' WordPress plugin developed by netweblogic. This plugin, widely used for managing events, bookings, and tickets, contains a flaw in its 'get_location' action that fails to properly restrict access to location data associated with events. Specifically, the vulnerability allows unauthenticated attackers to extract sensitive information from locations tied to password-protected, private, or draft events, which should normally be inaccessible without proper authorization. The root cause is insufficient access control checks on which event locations can be included in responses to the 'get_location' action. The vulnerability affects all versions up to and including 7.2.2.2. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the ease of remote exploitation without authentication or user interaction, but limited to confidentiality impact only. There are no known exploits in the wild at the time of publication. The exposure of sensitive location data could lead to privacy violations, leakage of confidential event details, and potential reconnaissance for further attacks. The plugin's widespread use in WordPress sites makes this a notable risk, especially for organizations relying on event privacy. No official patches were listed at the time of reporting, so mitigation may require manual access control reviews or plugin updates once available.

The primary impact of CVE-2025-12408 is the unauthorized disclosure of sensitive event location information, including those marked as password-protected, private, or drafts. This breach of confidentiality can undermine user privacy, expose business-sensitive event details, and facilitate further targeted attacks or social engineering by revealing internal or restricted event data. While the vulnerability does not affect data integrity or system availability, the leakage of sensitive information can damage organizational reputation and trust. For organizations managing confidential or proprietary events, this exposure could lead to competitive disadvantages or regulatory compliance issues, especially under data protection laws that mandate safeguarding personal or sensitive information. Since exploitation requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of automated scanning and data harvesting by malicious actors. The absence of known exploits currently limits immediate widespread impact, but the vulnerability remains a significant risk until remediated.

Organizations should immediately assess their use of the 'Events Manager – Calendar, Bookings, Tickets, and more!' plugin and identify if versions up to 7.2.2.2 are deployed. Until an official patch is released, administrators should consider the following mitigations: (1) Restrict access to the 'get_location' action by implementing web application firewall (WAF) rules that block unauthenticated requests targeting this endpoint or action parameter. (2) Limit public exposure of event location data by configuring plugin settings to minimize information disclosure, such as disabling public access to draft or private event locations. (3) Employ strict user role and permission management to ensure only authorized users can access sensitive event data. (4) Monitor web server logs and application logs for unusual or repeated access attempts to the 'get_location' action, indicating potential exploitation attempts. (5) Consider temporarily disabling or replacing the plugin if sensitive data exposure risk is unacceptable and no patch is available. (6) Stay updated with vendor advisories and apply patches promptly once released. (7) Conduct security audits and penetration testing focused on event management functionalities to detect any residual access control weaknesses.