Pretty Google Calendar

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.

Basic Information

ID CVE-2025-12898

Source Wordfence

Published Dec 20, 2025 at 03:20

Affected Product

Vendor lbell

Product Pretty Google Calendar

Version *

Affected Versions lbell Pretty Google Calendar *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.",
    "published": "2025-12-20T03:20:22.435Z",
    "modified": "2025-12-20T03:20:22.435Z",
    "type": "cve",
    "title": "Pretty Google Calendar <= 2.0.0 - Missing Authorization to Unauthenticated Google API Key Exposure",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c15924-d430-48e3-9804-fa83605b9c24?source=cve\nhttps://wordpress.org/plugins/pretty-google-calendar/",
    "id": "CVE-2025-12898",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "lbell Pretty Google Calendar *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Pretty Google Calendar",
    "version": "*",
    "vendor": "lbell",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Pretty Google Calendar <= 2.0.0 - Missing Authorization to Unauthenticated Google API Key Exposure_CVE-2025-12898