The vulnerability resides in the Events Calendar plugin for WordPress. A REST endpoint named sysinfo compares the supplied key with the stored opt‑in key using a loose equality check. Because of this, an unauthenticated attacker who can send a boolean value can bypass the key check and retrieve the full system report whenever the 'Yes, automatically share my system information with The Events Calendar support team' option is enabled. The disclosed data may include server OS, PHP version, WordPress configuration, active plugins, and other sensitive environment details, compromising confidentiality. This weakness is classified as CWE‑697, which denotes non‑strict comparison leading to unintended input handling.

WordPress sites that have installed StellarWP's The Events Calendar plugin version 6.15.9 or earlier and have the system-information-sharing feature enabled are susceptible. The vulnerability is limited to this particular plugin and affects any user who visits a site running a compromised version, regardless of user role, because the attack does not require authentication.

The CVSS score of 5.3 places the issue in the medium category. The EPSS score indicates exploitation probability below 1%, suggesting that while the flaw is known, there is currently a low chance of widespread exploitation. The vulnerability is not listed in CISA's KEV catalog. An attacker can exploit this weakness remotely by making an unauthenticated HTTP request to the sysinfo endpoint, sending a boolean payload, and reading the returned system report. No credentials or privileges are needed, and the attack can be performed purely by an automated script, but the low exploitation probability reflects the requirement that the plugin opt‑in must be enabled. If enabled, the exposed data can aid discovery of other vulnerabilities within the site.