The vulnerability CVE-2025-24537 involves a Cross-Site Request Forgery (CSRF) issue in the StellarWP The Events Calendar plugin for WordPress, affecting versions up to 6.7.0. CSRF vulnerabilities enable attackers to induce users to execute unwanted actions on a web application in which they are authenticated. This vulnerability has a CVSS 3.1 base score of 5.4, with network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. There is no vendor advisory or patch information provided, and no known exploits have been reported.

The vulnerability can allow attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to limited integrity and availability impacts. Confidentiality is not affected. Since no known exploits are reported, the immediate risk may be limited, but exploitation could disrupt normal plugin operations or modify data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted links and consider restricting access to the plugin's administrative functions. Monitor official StellarWP channels for updates and apply patches promptly once released.