The Pretty Google Calendar plugin for WordPress, developed by lbell, suffers from a missing authorization vulnerability identified as CVE-2025-12898 (CWE-862). The vulnerability exists in the pgcal_ajax_handler() function, which handles AJAX requests but lacks proper capability checks to verify if the requester is authorized. As a result, unauthenticated attackers can invoke this function remotely to retrieve the Google API key stored in the plugin's settings. This API key is sensitive as it can grant access to Google services linked to the calendar, potentially enabling attackers to gather calendar data or abuse the API quota. The vulnerability affects all versions up to and including 2.0.0. The CVSS v3.1 base score is 5.3, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) with no integrity or availability impact. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is classified under CWE-862, indicating missing authorization checks. This flaw is particularly concerning for WordPress sites that rely on the Pretty Google Calendar plugin to display Google Calendar data, as exposure of the API key can lead to unauthorized data access or quota abuse. Since the attack requires no authentication and can be performed remotely, it poses a significant risk to affected sites until mitigated.

For European organizations, the exposure of Google API keys through this vulnerability can lead to unauthorized access to Google Calendar data, potentially leaking sensitive scheduling or organizational information. Attackers could also abuse the API key to perform actions that consume API quotas, leading to service disruptions or additional costs. While the vulnerability does not directly compromise the integrity or availability of the affected WordPress sites, the confidentiality breach can have downstream effects such as reputational damage, compliance violations (e.g., GDPR if personal data is exposed), and increased risk of targeted phishing or social engineering attacks using calendar information. Organizations relying on the Pretty Google Calendar plugin for internal or public-facing sites are at risk, especially if the API key is linked to sensitive Google services. The lack of authentication requirement and ease of exploitation increase the likelihood of automated scanning and exploitation attempts, raising the urgency for mitigation in European contexts where data protection regulations are stringent.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include restricting access to the vulnerable AJAX endpoint (pgcal_ajax_handler) by configuring web application firewalls (WAFs) or server-level access controls (e.g., .htaccess rules) to allow only trusted IP addresses or authenticated users. Organizations should audit their WordPress installations to identify usage of the Pretty Google Calendar plugin and assess exposure. If possible, temporarily disable the plugin until a patch is released. Additionally, rotate the exposed Google API keys to invalidate any potentially compromised credentials. Monitor web server logs for suspicious access patterns targeting the AJAX handler. Once a vendor patch is available, apply it promptly. Educate site administrators about the risks of exposing API keys and enforce the principle of least privilege in API key permissions to limit potential damage from key exposure.