Skip to main content
CVE-2025-12898 MEDIUM This Month

Unauthenticated attackers can retrieve sensitive Google API keys from the Pretty Google Calendar WordPress plugin (versions up to 2.0.0) by exploiting a missing capability check in the pgcal_ajax_handler() AJAX function. The vulnerability allows direct read access to configured API credentials without authentication, enabling credential harvesting for downstream API abuse. No public exploit code or active exploitation has been confirmed at time of analysis; however, the low CVSS score (5.3) and very low EPSS percentile (21%) reflect that while the vulnerability is real, real-world exploitation likelihood remains minimal due to the ease of detection and limited direct impact compared to data exfiltration or system compromise.

Google WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy