CVE-2025-5733 is a vulnerability classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) affecting the Modern Events Calendar Lite plugin for WordPress, versions up to 7.21.9. The flaw arises from insufficient validation of the 'id' property when exporting calendar data, which allows unauthenticated attackers to retrieve the full filesystem path of the web application. This full path disclosure occurs because the plugin inadvertently includes sensitive path information in its response to crafted export requests. While the disclosed information does not directly compromise confidentiality, integrity, or availability, it provides attackers with valuable reconnaissance data that can be leveraged to identify the server environment, directory structure, and potentially facilitate more damaging attacks such as local file inclusion, remote code execution, or privilege escalation if other vulnerabilities exist. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the limited direct impact but ease of exploitation and potential to aid further attacks. No patches or mitigations were linked at the time of disclosure, and no active exploits have been reported in the wild. The vulnerability was publicly disclosed on June 6, 2025, and assigned by Wordfence.

The primary impact of CVE-2025-5733 is information disclosure, specifically revealing the full filesystem path of the web server hosting the Modern Events Calendar Lite plugin. While this does not immediately compromise sensitive data or system integrity, it significantly aids attackers in crafting more precise and effective attacks by providing insight into the server environment and directory layout. This can facilitate exploitation of other vulnerabilities such as local file inclusion, path traversal, or privilege escalation. For organizations, this means an increased risk of targeted attacks against WordPress sites using this plugin, potentially leading to data breaches, website defacement, or service disruption if combined with additional vulnerabilities. The vulnerability affects all installations of the plugin up to version 7.21.9, which is widely used in WordPress sites globally, including small businesses, event organizers, and enterprises relying on WordPress for content management. The ease of exploitation without authentication or user interaction increases the likelihood of opportunistic scanning and reconnaissance by attackers. However, the lack of known active exploits and the medium severity rating suggest the immediate threat is moderate but should not be ignored.

1. Monitor for and apply official patches or updates from the plugin vendor (webnus) as soon as they become available to remediate the vulnerability. 2. Until patches are released, restrict access to the calendar export functionality by implementing IP whitelisting or authentication controls at the web server or application level to prevent unauthenticated requests. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'id' parameter in calendar export endpoints. 4. Conduct regular security assessments and vulnerability scans on WordPress installations to identify outdated plugins and configuration weaknesses. 5. Implement least privilege principles for WordPress users and server file permissions to limit the impact of potential follow-on attacks. 6. Monitor logs for unusual access patterns or repeated requests to the export functionality that may indicate reconnaissance attempts. 7. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 8. Consider disabling or replacing the Modern Events Calendar Lite plugin if immediate patching is not feasible and the export feature is not critical to operations.