CVE-2025-12954 | THREATINT

Description

The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.

PUBLISHED Reserved 2025-11-10 | Published 2025-12-03 | Updated 2025-12-03 | Assigner WPScan

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version before 2.4.16

affected

Credits

bRpsd finder

WPScan coordinator

References

wpscan.com/...rability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/ exploit vdb-entry technical-description

cve.org (CVE-2025-12954)

nvd.nist.gov (CVE-2025-12954)