Google
CVE-2025-12898
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
AnalysisAI
Unauthenticated attackers can retrieve sensitive Google API keys from the Pretty Google Calendar WordPress plugin (versions up to 2.0.0) by exploiting a missing capability check in the pgcal_ajax_handler() AJAX function. The vulnerability allows direct read access to configured API credentials without authentication, enabling credential harvesting for downstream API abuse. No public exploit code or active exploitation has been confirmed at time of analysis; however, the low CVSS score (5.3) and very low EPSS percentile (21%) reflect that while the vulnerability is real, real-world exploitation likelihood remains minimal due to the ease of detection and limited direct impact compared to data exfiltration or system compromise.
Technical ContextAI
The Pretty Google Calendar WordPress plugin uses AJAX handlers to communicate between the frontend and backend. The pgcal_ajax_handler() function processes user requests but fails to implement WordPress capability checks (typically using current_user_can() for admin or editor roles) before executing sensitive operations. This is a common WordPress security antipattern where AJAX endpoints intended for authenticated administrative use are exposed to the public wp-admin/admin-ajax.php endpoint without validation. The CWE-862 (Missing Authorization) classification indicates the root cause is absent access control rather than broken access control; the function provides no authentication barrier at all. The vulnerability stems from the plugin storing the Google API key in WordPress options (usually wp_options table) and retrieving it without verifying the requesting user's identity or capabilities, allowing unauthenticated POST/GET requests to extract the key via the AJAX interface.
Affected ProductsAI
Pretty Google Calendar plugin for WordPress in all versions up to and including 2.0.0 is affected. The vulnerable AJAX handler is present across all releases from initial publication through version 2.0.0. WordPress installations running any version of this plugin within that range on publicly accessible sites are at risk. Refer to the WordPress plugin directory at https://wordpress.org/plugins/pretty-google-calendar/ for version history and the official Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c15924-d430-48e3-9804-fa83605b9c24 for confirmation and timeline details.
RemediationAI
Update the Pretty Google Calendar plugin to version 2.0.1 or later, which includes a patch adding proper WordPress capability checks to the pgcal_ajax_handler() function. Site administrators should navigate to the WordPress Plugins page, locate Pretty Google Calendar, and click Update if a newer version is available. After patching, consider rotating any Google API keys that may have been exposed while running vulnerable versions; generate new keys in the Google Cloud Console and reconfigure the plugin settings with the new credentials. For sites unable to update immediately, manually disabling the plugin via wp-cli or the WordPress admin interface will prevent exploitation, though this will break calendar functionality until a patch can be applied. See the vendor changeset at https://plugins.trac.wordpress.org/changeset for technical details of the patch.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today