Scan free
MEDIUMCVE-2025-12407CVSS 4.3

CVE-2025-12407: CSRF in Events Manager WordPress Plugin

Platform

wordpress

Component

events-manager

Fixed in

7.2.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-12407 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Events Manager plugin for WordPress. This flaw allows unauthenticated attackers to delete locations on a WordPress site if they can convince a site administrator to perform a malicious action. The vulnerability affects versions from 0.0.0 up to and including 7.2.2.2, and a fix is available in version 7.2.2.3.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker can exploit this CSRF vulnerability to delete locations within the Events Manager plugin. This could disrupt event scheduling and booking processes, potentially leading to denial of service or data loss. The attacker needs to craft a malicious request and trick a site administrator into clicking a link or visiting a page containing the forged request. Successful exploitation requires administrator privileges, but the attack itself doesn't require authentication beyond that.

Exploitation Context

This vulnerability was publicly disclosed on 2025-12-12. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation makes it a potential target for automated attacks. The vulnerability is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (4% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentevents-manager
Vendorwordfence
Affected rangeFixed in
0 – 7.2.2.27.2.3

Package Information

Active installs
70KPopular
Plugin rating
4.2
Requires WordPress
6.1+
Compatible up to
7.0
Requires PHP
7.0+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to upgrade the Events Manager plugin to version 7.2.2.3 or later, which includes the necessary nonce validation to prevent CSRF attacks. As a temporary workaround, restrict administrator access to the location management section of the plugin. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly review WordPress user permissions and ensure only authorized personnel have administrative access.

How to fix

Update to version 7.2.2.3, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-12407 — CSRF in Events Manager WordPress Plugin?

CVE-2025-12407 is a Cross-Site Request Forgery vulnerability in the Events Manager WordPress plugin, allowing attackers to delete locations via forged requests if they can trick an administrator.

Am I affected by CVE-2025-12407 in Events Manager WordPress Plugin?

If you are using Events Manager versions 0.0.0 through 7.2.2.2, you are affected by this vulnerability. Upgrade to 7.2.2.3 or later to mitigate the risk.

How do I fix CVE-2025-12407 in Events Manager WordPress Plugin?

Upgrade the Events Manager plugin to version 7.2.2.3 or a later version. As a temporary measure, restrict administrator access to location management.

Is CVE-2025-12407 being actively exploited?

There are currently no confirmed reports of active exploitation, but the ease of exploitation makes it a potential target.

Where can I find the official Events Manager advisory for CVE-2025-12407?

Please refer to the Events Manager plugin website and WordPress.org plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs