The vulnerability identified as CVE-2025-12898 affects the Pretty Google Calendar plugin for WordPress, specifically all versions up to and including 2.0.0. The root cause is a missing authorization check (CWE-862) in the pgcal_ajax_handler() function, which handles AJAX requests related to the plugin's operations. Because the function does not verify user capabilities or authentication status, any unauthenticated attacker can invoke it remotely to retrieve the Google API key stored in the plugin's settings. This key is sensitive as it grants access to Google services configured by the site administrator. The vulnerability is exploitable over the network without any user interaction or privileges, making it relatively easy to exploit. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the limited impact to confidentiality only, with no integrity or availability consequences. No patches are currently linked, and no known exploits have been reported in the wild, but the exposure of API keys can lead to further attacks such as unauthorized API usage, quota exhaustion, or data leakage from Google services. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface for websites relying on it to display Google Calendar data.

The primary impact of CVE-2025-12898 is the unauthorized disclosure of Google API keys configured in the Pretty Google Calendar plugin. This compromises the confidentiality of sensitive credentials, potentially allowing attackers to misuse the Google API for malicious purposes such as data scraping, quota abuse, or accessing additional Google services tied to the compromised key. Although the vulnerability does not directly affect the integrity or availability of the affected WordPress sites, the stolen API keys could be leveraged in broader attacks against the organization’s Google Cloud resources or services. Organizations relying on this plugin risk reputational damage, increased operational costs due to API abuse, and potential compliance issues if sensitive data is exposed through the API misuse. The ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic attacks, especially on publicly accessible WordPress sites.

1. Monitor for and apply official patches or updates from the plugin vendor as soon as they become available. 2. In the absence of patches, implement web server-level access controls (e.g., using .htaccess rules or firewall rules) to restrict access to the AJAX handler endpoint (pgcal_ajax_handler) to authenticated users or trusted IP addresses only. 3. Review and rotate Google API keys used in the plugin to invalidate any potentially compromised credentials. 4. Limit the permissions and scopes granted to the Google API keys to the minimum necessary to reduce the impact of potential compromise. 5. Consider disabling or uninstalling the Pretty Google Calendar plugin if it is not essential or if a timely patch is unavailable. 6. Employ WordPress security plugins that can detect and block unauthorized AJAX requests or anomalous behavior. 7. Conduct regular security audits of WordPress plugins and configurations to identify and remediate missing authorization issues proactively.