CVE-2025-12898
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2Description
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
Analysis
Unauthenticated attackers can retrieve sensitive Google API keys from the Pretty Google Calendar WordPress plugin (versions up to 2.0.0) by exploiting a missing capability check in the pgcal_ajax_handler() AJAX function. The vulnerability allows direct read access to configured API credentials without authentication, enabling credential harvesting for downstream API abuse. No public exploit code or active exploitation has been confirmed at time of analysis; however, the low CVSS score (5.3) and very low EPSS percentile (21%) reflect that while the vulnerability is real, real-world exploitation likelihood remains minimal due to the ease of detection and limited direct impact compared to data exfiltration or system compromise.
Technical Context
The Pretty Google Calendar WordPress plugin uses AJAX handlers to communicate between the frontend and backend. The pgcal_ajax_handler() function processes user requests but fails to implement WordPress capability checks (typically using current_user_can() for admin or editor roles) before executing sensitive operations. This is a common WordPress security antipattern where AJAX endpoints intended for authenticated administrative use are exposed to the public wp-admin/admin-ajax.php endpoint without validation. The CWE-862 (Missing Authorization) classification indicates the root cause is absent access control rather than broken access control; the function provides no authentication barrier at all. The vulnerability stems from the plugin storing the Google API key in WordPress options (usually wp_options table) and retrieving it without verifying the requesting user's identity or capabilities, allowing unauthenticated POST/GET requests to extract the key via the AJAX interface.
Affected Products
Pretty Google Calendar plugin for WordPress in all versions up to and including 2.0.0 is affected. The vulnerable AJAX handler is present across all releases from initial publication through version 2.0.0. WordPress installations running any version of this plugin within that range on publicly accessible sites are at risk. Refer to the WordPress plugin directory at https://wordpress.org/plugins/pretty-google-calendar/ for version history and the official Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c15924-d430-48e3-9804-fa83605b9c24 for confirmation and timeline details.
Remediation
Update the Pretty Google Calendar plugin to version 2.0.1 or later, which includes a patch adding proper WordPress capability checks to the pgcal_ajax_handler() function. Site administrators should navigate to the WordPress Plugins page, locate Pretty Google Calendar, and click Update if a newer version is available. After patching, consider rotating any Google API keys that may have been exposed while running vulnerable versions; generate new keys in the Google Cloud Console and reconfigure the plugin settings with the new credentials. For sites unable to update immediately, manually disabling the plugin via wp-cli or the WordPress admin interface will prevent exploitation, though this will break calendar functionality until a patch can be applied. See the vendor changeset at https://plugins.trac.wordpress.org/changeset for technical details of the patch.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today