CVE-2025-9808 is an information exposure vulnerability classified under CWE-200 affecting The Events Calendar plugin for WordPress, versions up to and including 6.15.2. The flaw exists in the plugin's REST API endpoint, which fails to enforce proper access controls, allowing unauthenticated attackers to retrieve sensitive information about password-protected vendors or venues. This exposure occurs because the REST endpoint does not verify authentication or authorization before disclosing details that should be restricted. The vulnerability does not permit data modification or denial of service but compromises confidentiality by leaking sensitive data. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to network exploitable vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact confined to confidentiality (C:L). No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability affects all versions up to 6.15.2, indicating a broad scope among users of this popular WordPress plugin. The exposure of vendor or venue information could facilitate targeted phishing, social engineering, or reconnaissance activities by malicious actors.

The primary impact of CVE-2025-9808 is the unauthorized disclosure of sensitive information related to password-protected vendors or venues managed via The Events Calendar plugin. While it does not allow attackers to alter or disrupt services, the confidentiality breach can undermine user privacy and organizational security. Attackers could leverage the exposed data to craft more convincing phishing campaigns, perform social engineering, or gather intelligence for subsequent attacks. Organizations relying on this plugin for event management may face reputational damage and potential regulatory compliance issues if sensitive data is leaked. The vulnerability's ease of exploitation without authentication increases the risk of widespread scanning and data harvesting. Although no active exploitation is reported yet, the vulnerability's presence in a widely used WordPress plugin means many websites globally are potentially vulnerable, increasing the attack surface.

To mitigate CVE-2025-9808, organizations should immediately update The Events Calendar plugin to a patched version once available. In the absence of an official patch, administrators should restrict access to the vulnerable REST API endpoints by implementing authentication requirements or IP-based access controls via web server configurations or WordPress security plugins. Employing a Web Application Firewall (WAF) with custom rules to block unauthenticated requests targeting the REST endpoint can reduce exposure. Additionally, reviewing and minimizing the exposure of sensitive vendor or venue information within the plugin settings can limit data leakage. Monitoring web server logs for unusual REST API access patterns may help detect exploitation attempts. Regular security audits of WordPress plugins and timely application of updates are essential to prevent similar vulnerabilities.