Primary

Context

The Events Calendar Missing Capability Check Vulnerability Allowing Unauthorized Access to Draft Event Information and QR Codes

Vulnerability

Patched

A vulnerability exists in The Events Calendar plugin for WordPress, in all versions through 6.15.9. The issue arises from a missing capability check on the 'tec_qr_code_modal' AJAX endpoint, allowing authenticated users with Subscriber-level access and above to access draft event titles and generate or view QR codes for those events.

Impact

Exploitation of this vulnerability allows unauthorized access to draft event titles and the ability to generate and view QR codes for those events.

Remediation

Users are advised to update The Events Calendar plugin to version 6.15.10 or a newer patched version.

Added: Oct 31, 2025, 9:21 AM

Updated: Oct 31, 2025, 9:21 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

6.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

3.1

exploitability

6.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

The Events Calendar Missing Capability Check Vulnerability Allowing Unauthorized Access to Draft Event Information and QR Codes

Vulnerability

Impact

Remediation

Affected Products

The Events Calendar

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating