Plattform
wordpress
Komponente
events-manager
Behoben in
7.2.3
CVE-2025-12407 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Events Manager plugin for WordPress. This flaw allows unauthenticated attackers to delete locations on a WordPress site if they can convince a site administrator to perform a malicious action. The vulnerability affects versions from 0.0.0 up to and including 7.2.2.2, and a fix is available in version 7.2.2.3.
An attacker can exploit this CSRF vulnerability to delete locations within the Events Manager plugin. This could disrupt event scheduling and booking processes, potentially leading to denial of service or data loss. The attacker needs to craft a malicious request and trick a site administrator into clicking a link or visiting a page containing the forged request. Successful exploitation requires administrator privileges, but the attack itself doesn't require authentication beyond that.
This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation makes it a potential target for automated attacks. The vulnerability is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns.
WordPress websites utilizing the Events Manager plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites with legacy configurations or plugins that haven't been regularly updated are also more vulnerable.
• wordpress / composer / npm:
grep -r 'location_delete' /var/www/html/wp-content/plugins/events-manager/• wordpress / composer / npm:
wp plugin list | grep "Events Manager"• wordpress / composer / npm:
wp plugin update events-manager --version=7.2.2.3disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Events Manager plugin to version 7.2.2.3 or later, which includes the necessary nonce validation to prevent CSRF attacks. As a temporary workaround, restrict administrator access to the location management section of the plugin. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly review WordPress user permissions and ensure only authorized personnel have administrative access.
Aktualisieren Sie auf Version 7.2.2.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12407 is a Cross-Site Request Forgery vulnerability in the Events Manager WordPress plugin, allowing attackers to delete locations via forged requests if they can trick an administrator.
If you are using Events Manager versions 0.0.0 through 7.2.2.2, you are affected by this vulnerability. Upgrade to 7.2.2.3 or later to mitigate the risk.
Upgrade the Events Manager plugin to version 7.2.2.3 or a later version. As a temporary measure, restrict administrator access to location management.
There are currently no confirmed reports of active exploitation, but the ease of exploitation makes it a potential target.
Please refer to the Events Manager plugin website and WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.