Skip to main content
CVE Vulnerability Database

CVE-2025-9808: Events Calendar Plugin Info Disclosure Flaw

CVE-2025-9808 is an information disclosure vulnerability in The Events Calendar WordPress plugin that allows unauthenticated attackers to access password-protected vendor and venue data via REST endpoints.

Published:

CVE-2025-9808 Overview

CVE-2025-9808 is an information exposure vulnerability in The Events Calendar plugin for WordPress. The flaw affects all versions up to and including 6.15.2. The plugin exposes data through a REST API endpoint that fails to enforce access controls on password-protected content. Unauthenticated attackers can query this endpoint to extract information about password-protected vendors or venues without supplying credentials. The vulnerability is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).

Critical Impact

Unauthenticated remote attackers can retrieve information about password-protected vendors and venues via the REST endpoint, bypassing the plugin's intended access restrictions.

Affected Products

  • The Events Calendar plugin for WordPress, versions up to and including 6.15.2
  • WordPress sites using password protection on vendor entries managed by the plugin
  • WordPress sites using password protection on venue entries managed by the plugin

Discovery Timeline

  • 2025-09-16 - CVE-2025-9808 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9808

Vulnerability Analysis

The Events Calendar plugin exposes vendor and venue objects through a Representational State Transfer (REST) API endpoint. WordPress supports post-level password protection, which restricts front-end rendering of protected content until a visitor supplies the correct password. The plugin's REST endpoint does not honor this protection when serving vendor or venue data. An unauthenticated attacker can send a standard HTTP request to the endpoint and receive fields belonging to password-protected records. The disclosed data is limited to information about the protected vendors or venues, resulting in a confidentiality impact without integrity or availability effects. The Exploit Prediction Scoring System (EPSS) rates this vulnerability at 0.771 percent probability of exploitation.

Root Cause

The root cause is missing authorization on the REST endpoint that returns vendor and venue objects. The endpoint's permission callback does not evaluate the post_password attribute of the requested resource before returning protected fields. WordPress core exposes helper functions such as post_password_required() that plugins can use to gate protected content, but the plugin's REST controller did not apply this check for the affected resource types.

Attack Vector

Exploitation requires only network access to the WordPress site's REST API. An attacker enumerates vendor or venue identifiers, then requests each resource through the plugin's REST route. The server returns object data for password-protected entries without prompting for a password. No authentication, user interaction, or elevated privileges are required. The vulnerability was fixed in WordPress Changeset 3359403, which adds the missing password check to the REST controller. See the Wordfence Vulnerability Report for additional analysis.

Detection Methods for CVE-2025-9808

Indicators of Compromise

  • Unauthenticated HTTP GET requests to /wp-json/tribe/events/v1/venues or /wp-json/tribe/events/v1/organizers routes from a single source IP
  • High-volume enumeration of sequential vendor or venue IDs against the plugin's REST endpoints
  • Successful HTTP 200 responses returning object payloads for resources marked with post_password in the database

Detection Strategies

  • Review web server access logs for requests to The Events Calendar REST routes originating from unauthenticated sessions
  • Correlate REST endpoint access with the post_password field in the wp_posts table to identify potential disclosure of protected records
  • Deploy a Web Application Firewall (WAF) rule that alerts when REST responses for protected post types exceed a baseline volume

Monitoring Recommendations

  • Log all requests to /wp-json/tribe/* endpoints with source IP, user agent, and requested resource ID
  • Monitor for anomalous enumeration patterns targeting the plugin's REST namespace
  • Alert on repeated 200 responses to unauthenticated clients requesting vendor or venue resources

How to Mitigate CVE-2025-9808

Immediate Actions Required

  • Update The Events Calendar plugin to a version later than 6.15.2 that includes the fix from Changeset 3359403
  • Inventory all WordPress sites running the plugin and prioritize sites that use password-protected vendors or venues
  • Rotate any information previously assumed confidential due to password protection on affected vendor or venue records

Patch Information

The vendor addressed the issue in the plugin repository via WordPress Changeset 3359403. Site administrators should install the patched release through the WordPress plugin updater or by deploying the updated plugin package.

Workarounds

  • Disable The Events Calendar plugin until the patched version is installed if password-protected vendors or venues contain sensitive data
  • Restrict access to /wp-json/tribe/* REST routes at the WAF or reverse proxy layer, allowing only trusted IP ranges
  • Remove password protection and instead use role-based access control for vendors and venues that require confidentiality
bash
# Example nginx snippet to block unauthenticated access to the plugin's REST namespace
location ~ ^/wp-json/tribe/ {
    allow 10.0.0.0/8;
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.