Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal - Appointment Booking Calendar for WordPress quickcal allows Retrieve Embedded Sensitive Data.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.
Published: 2025-05-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The QuickCal plugin as delivered through version 1.0.15 and earlier contains an issue that allows an attacker to retrieve embedded sensitive system data. This flaw stems from an improper management of sensitive information as identified by CWE‑497 and can lead to the unauthorized disclosure of confidential details. The CVSS score of 4.3 reflects a moderate severity, indicating that once exploited a moderate level of damage is expected but not catastrophic.

Affected Systems

The vulnerability affects Themovation’s QuickCal Appointment Booking Calendar for WordPress plugin on all WordPress installations that use any version up to and including 1.0.15. No specific WordPress core version is mentioned, so any site with the vulnerable plugin is potentially impacted.

Risk and Exploitability

Based on the description, it is inferred that the attacker requires access to the WordPress control sphere, likely through the QuickCal plugin interface or by compromising administrative credentials, to read the exposed sensitive data. The EPSS score below 1 % indicates a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploits at present. Nonetheless the flaw allows an attacker with that access to read sensitive data exposed by the plugin. The moderate CVSS score signals that exploitation could perform a data breach with limited but real impact.

Generated by OpenCVE AI on May 1, 2026 at 08:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the QuickCal plugin to the latest release that removes the data exposure flaw.
  • Eliminate any sensitive information the plugin has stored or displayed, such as configuration files or logs, to remove residual exposure.
  • Restrict WordPress role permissions so that only trusted administrators can access QuickCal’s settings and data, limiting accidental disclosure.

Generated by OpenCVE AI on May 1, 2026 at 08:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15484 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal allows Retrieve Embedded Sensitive Data. This issue affects QuickCal: from n/a through 1.0.15.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal allows Retrieve Embedded Sensitive Data. This issue affects QuickCal: from n/a through 1.0.15. Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal - Appointment Booking Calendar for WordPress quickcal allows Retrieve Embedded Sensitive Data.This issue affects QuickCal - Appointment Booking Calendar for WordPress: from n/a through <= 1.0.15.
Title WordPress QuickCal <= 1.0.15 - Sensitive Data Exposure Vulnerability WordPress QuickCal plugin <= 1.0.15 - Sensitive Data Exposure Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themovation QuickCal allows Retrieve Embedded Sensitive Data. This issue affects QuickCal: from n/a through 1.0.15.
Title WordPress QuickCal <= 1.0.15 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:21.596Z

Reserved: 2025-04-04T10:02:46.815Z

Link: CVE-2025-32299

cve-icon Vulnrichment

Updated: 2025-05-16T16:41:34.632Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:39.370

Modified: 2026-04-23T15:28:55.670

Link: CVE-2025-32299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses