CVE-2025-9808 is a medium-severity vulnerability affecting The Events Calendar plugin for WordPress, specifically all versions up to and including 6.15.2. The vulnerability is classified under CWE-200, which involves the exposure of sensitive information to unauthorized actors. The issue arises from the plugin's REST API endpoint, which allows unauthenticated attackers to retrieve information about password-protected vendors or venues. This exposure occurs without requiring any authentication or user interaction, making it accessible remotely over the network with low attack complexity. The vulnerability impacts confidentiality by leaking sensitive data that should be restricted, although it does not affect integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the limited scope of impact and the nature of the exposed information. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation might rely on vendor updates or configuration changes once available. The vulnerability could be leveraged by attackers to gather intelligence on protected event data, potentially facilitating further targeted attacks or social engineering campaigns against event organizers or vendors.

For European organizations using The Events Calendar plugin on WordPress sites, this vulnerability could lead to unauthorized disclosure of sensitive event-related information, such as details about password-protected vendors or venues. This exposure could undermine privacy commitments, especially under GDPR regulations, as personal or business-sensitive data might be leaked. Organizations involved in event management, ticketing, or venue booking could face reputational damage and loss of customer trust. While the vulnerability does not directly enable system compromise or data modification, the information disclosure could be a stepping stone for more sophisticated attacks, including phishing or targeted intrusion attempts. The impact is particularly relevant for organizations that rely heavily on WordPress for public-facing event management and have not yet updated the plugin or implemented compensating controls.

European organizations should immediately audit their WordPress installations to identify if The Events Calendar plugin is installed and verify the version. Until an official patch is released, administrators should consider disabling the REST API endpoints related to The Events Calendar plugin or restricting access to trusted IP addresses via web application firewalls or server configuration. Implementing strict access controls on the WordPress REST API can reduce exposure. Monitoring web server logs for unusual access patterns targeting the plugin's REST endpoints is advisable. Additionally, organizations should keep abreast of vendor announcements for patches and apply updates promptly once available. If feasible, consider migrating sensitive event data to more secure platforms or adding additional authentication layers to protect vendor and venue information. Regular security assessments and penetration tests focusing on WordPress plugins can help detect similar issues proactively.