CVE-2025-12526 is a vulnerability identified in the Private Google Calendars plugin for WordPress, developed by michielve. The issue stems from a missing capability check on the 'pgc_remove' action, which is responsible for resetting the plugin's settings. This missing authorization allows any authenticated user with Subscriber-level privileges or higher to invoke this action and modify plugin configurations without proper permissions. The vulnerability affects all plugin versions up to and including 20250811. The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-862, which refers to missing authorization. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). This means an attacker needs to be authenticated with at least Subscriber-level access but can exploit the vulnerability remotely without user interaction. The impact is limited to unauthorized modification of plugin settings, which could disrupt calendar functionality or cause misconfigurations. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on 2025-10-30 and published on 2025-11-11. No official patches or updates have been linked yet, so mitigation relies on access control and monitoring.

The primary impact of CVE-2025-12526 is unauthorized modification of the Private Google Calendars plugin settings by authenticated users with minimal privileges (Subscriber-level or higher). This can lead to misconfiguration of calendar data, potential disruption of calendar synchronization, or denial of intended functionality. While the vulnerability does not directly compromise confidentiality or availability, the integrity of calendar data and plugin behavior is at risk. Attackers could exploit this to cause confusion, disrupt scheduling, or prepare for further attacks by altering plugin settings. Organizations relying on this plugin for critical scheduling or event management may face operational disruptions. Since the attack requires only low-level authenticated access, it increases the risk from insider threats or compromised low-privilege accounts. The lack of user interaction and network-based exploitability further broadens the attack surface. However, the absence of known exploits in the wild and the medium CVSS score indicate a moderate risk level at present.

1. Immediately restrict Subscriber-level and other low-privilege user roles from accessing or triggering the 'pgc_remove' action by implementing custom capability checks or role restrictions via WordPress hooks or security plugins. 2. Monitor and audit user activities related to the Private Google Calendars plugin, especially any attempts to reset or modify plugin settings. 3. Apply any official patches or updates released by the plugin developer as soon as they become available. 4. Consider temporarily disabling the Private Google Calendars plugin if it is not critical to operations until a patch is released. 5. Use a Web Application Firewall (WAF) to detect and block unauthorized requests targeting the 'pgc_remove' action. 6. Educate users and administrators about the risk of privilege escalation and enforce strong authentication and account management policies to reduce the risk of compromised accounts. 7. Regularly review and minimize the number of users with Subscriber-level or higher access to reduce the attack surface. 8. Engage with the plugin vendor or community to encourage timely patch development and disclosure.