CVE-2025-9808: 
WordPress vulnerability analysis and mitigation

The Events Calendar plugin for WordPress contains an Information Exposure vulnerability (CVE-2025-9808) discovered on September 16, 2025. This vulnerability affects all versions up to and including 6.15.2. The vulnerability exists in the REST endpoint functionality of the plugin (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The technical assessment indicates that this is a CWE-200 type vulnerability (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability is accessible through network vectors, requires low attack complexity, and needs no privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to extract information about password-protected vendors or venues through the REST endpoint. This information exposure could potentially reveal sensitive business data that was intended to be protected (NVD).

A patch has been released in version 6.15.3 of The Events Calendar plugin. Users are advised to update to this version or later to address the vulnerability (WordPress Plugin Repository).