CVE-2025-5733: 
WordPress vulnerability analysis and mitigation

The Modern Events Calendar Lite plugin for WordPress is affected by a Full Path Disclosure vulnerability (CVE-2025-5733) in all versions up to and including 7.21.9. The vulnerability was discovered and disclosed on June 6, 2025, affecting websites using this WordPress calendar plugin (NVD CVE).

The vulnerability stems from improper or insufficient validation of the id property when exporting calendars. This security flaw has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness has been categorized as CWE-201 (Insertion of Sensitive Information Into Sent Data) (NVD CVE).

The vulnerability allows unauthenticated attackers to retrieve the full path of the web application. While the exposed information is not directly harmful on its own, it can be leveraged to aid other attacks. The impact is considered moderate as it requires another vulnerability to be present for causing actual damage to an affected website (NVD CVE).

Website administrators running the Modern Events Calendar Lite plugin should upgrade to a version newer than 7.21.9 once available. Until then, administrators should monitor their systems for any suspicious activities and consider implementing additional security measures to prevent the exploitation of the exposed information (WordPress Plugin).