CVE-2025-15043 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the The Events Calendar plugin for WordPress, developed by stellarwp. The issue arises because the plugin fails to perform proper capability checks on three critical functions related to the Custom Tables V1 database migration: 'start_migration', 'cancel_migration', and 'revert_migration'. This missing authorization allows any authenticated user with subscriber-level privileges or higher to invoke these functions. The 'start_migration' and 'cancel_migration' functions control the initiation and cancellation of the database migration process, while the 'revert_migration' function can roll back the migration, which includes dropping custom database tables. Since subscribers typically have minimal privileges, this vulnerability significantly lowers the bar for exploitation. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and partial availability impact. The vulnerability affects all versions up to and including 6.15.13. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability could lead to disruption or loss of event-related data and site functionality, impacting the integrity and availability of affected WordPress sites using this plugin.

The primary impact of this vulnerability is on the integrity and availability of WordPress sites using The Events Calendar plugin. Attackers with subscriber-level access can manipulate the database migration process, potentially dropping custom tables that store event data. This can lead to data loss, site malfunction, or denial of service for event management features. Since the plugin is widely used for event scheduling and management on WordPress sites, organizations relying on it for critical event operations could face operational disruptions. Although confidentiality is not directly impacted, the loss or corruption of event data can have significant business consequences, including loss of customer trust and operational delays. The ease of exploitation by low-privilege authenticated users increases the risk, especially on sites that allow user registrations or have multiple contributors. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks. Organizations with high reliance on event management and those with open subscriber registrations are particularly at risk.

To mitigate this vulnerability, organizations should immediately update The Events Calendar plugin to a version that includes proper authorization checks once available. Until a patch is released, administrators should restrict subscriber-level user capabilities to prevent unauthorized access to migration functions. This can be done by customizing user roles and capabilities via WordPress role management plugins or custom code to ensure subscribers cannot access or trigger migration-related actions. Additionally, monitoring and logging of migration-related activities should be enabled to detect any unauthorized attempts. Limiting user registrations or implementing stricter user vetting can reduce the risk of exploitation. Regular backups of event data and database snapshots are critical to enable recovery in case of data loss. Finally, site administrators should review and harden WordPress security configurations, including applying the principle of least privilege and disabling unnecessary plugin features if possible.