The Pretty Google Calendar plugin for WordPress, developed by lbell, suffers from a missing authorization vulnerability identified as CVE-2025-12898 (CWE-862). The vulnerability exists in the pgcal_ajax_handler() function, which lacks proper capability checks, allowing unauthenticated users to invoke this AJAX handler and retrieve the Google API key stored in the plugin's settings. This key is sensitive as it grants access to Google APIs, potentially enabling attackers to perform unauthorized actions or consume API quotas. The vulnerability affects all versions up to and including 2.0.0. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), no required privileges (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L), with no impact on integrity or availability. The flaw does not require authentication or user interaction, making exploitation relatively easy for remote attackers. No patches or fixes are currently published, and no known exploits have been reported in the wild. The vulnerability was reserved in early November 2025 and published in December 2025. Given the widespread use of WordPress and Google APIs, this vulnerability poses a risk of leaking sensitive API credentials, which could be leveraged for further attacks or abuse of Google services.

For European organizations, the exposure of Google API keys can lead to unauthorized access to Google services integrated via the Pretty Google Calendar plugin, such as calendar data retrieval or manipulation, depending on the API scopes granted. This can result in confidentiality breaches, data leakage, and potential abuse of Google API quotas, leading to service disruptions or additional costs. Organizations relying on Google APIs for business-critical operations may face operational risks if attackers misuse the exposed keys. Additionally, the leaked keys could be used as a foothold for further attacks or reconnaissance. Since the vulnerability does not affect integrity or availability directly, the primary concern is unauthorized data exposure and potential downstream abuse. The ease of exploitation and lack of authentication requirements increase the risk profile, especially for public-facing WordPress sites. European entities with strict data protection regulations (e.g., GDPR) may also face compliance risks if sensitive data is exposed due to this vulnerability.

Immediate mitigation steps include restricting access to the vulnerable AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to the pgcal_ajax_handler() function. Administrators should audit and rotate any exposed Google API keys to prevent unauthorized use. Monitoring API key usage for unusual activity is critical to detect potential abuse early. Until an official patch is released, consider disabling or removing the Pretty Google Calendar plugin if feasible. If the plugin is essential, isolate it behind access controls or IP whitelisting to limit exposure. Developers should implement proper capability checks on all AJAX handlers to ensure only authorized users can access sensitive data. Once a patch becomes available, apply it promptly. Additionally, organizations should review their Google API permissions to follow the principle of least privilege, minimizing the impact of any key exposure.