Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.
Published: 2025-12-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Patch Immediately
AI Analysis

Impact

The Events Manager plugin for WordPress contains an information exposure flaw that allows unauthenticated users to retrieve sensitive data from event locations marked as password protected, private, or draft. The flaw arises because the plugin’s 'get_location' action does not enforce proper access controls on which locations can be returned. The weakness is classified as CWE-200, exposing confidential event data to anyone with website access.

Affected Systems

WordPress sites running the Events Manager plugin by netweblogic, including all releases up to and including 7.2.2.2.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. Its EPSS score is below 1%, suggesting low but non-zero probability of exploitation, and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending requests to the get_location action without authentication to fetch data from protected locations. Because no additional authentication or privilege checks exist, the exposure is purely informational and does not directly lead to code execution or DoS.

Generated by OpenCVE AI on April 22, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Events Manager plugin to the latest available release, which removes the insufficient restrictions on the 'get_location' action.
  • If an immediate update is not feasible, temporarily disable the 'get_location' endpoint or enforce role‑based access rules that block unauthenticated requests from that action.
  • Configure the web server or WordPress to block unauthenticated requests to the get_location action, for example by using .htaccess rules or server‑side access controls to restrict the endpoint to authenticated users only.

Generated by OpenCVE AI on April 22, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Netweblogic
Netweblogic events Manager
Wordpress
Wordpress wordpress
Vendors & Products Netweblogic
Netweblogic events Manager
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to.
Title Events Manager <= 7.2.2.2 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Netweblogic Events Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:23.934Z

Reserved: 2025-10-28T15:15:50.054Z

Link: CVE-2025-12408

cve-icon Vulnrichment

Updated: 2025-12-12T14:39:05.078Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T12:15:45.587

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses