cleantalk
Vulnerabilities and Security Researches

Events Manager – Calendar, Bookings, Tickets, and more!, CVE-2025-12407

CVE, Research URL

CVE-2025-12407

Home page URL

Security reports for Events Manager – Calendar, Bookings, Tickets, and more!

Application

Events Manager – Calendar, Bookings, Tickets, and more!

Published on
Dec 12, 2025
Research Description
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 7.2.2.3.
Status
vulnerable
Previous vulnerability researches
Events Manager Pro – extended (CVE-2024-50532) , Nov 03, 2024
WP Events Manager (CVE-2024-7717) , Sep 01, 2024
WP Events Manager (CVE-2025-57987) , Oct 11, 2025
Events Manager – Calendar, Bookings, Tickets, and more! (CVE-2025-12407) , Jan 10, 2026
Events Manager – Calendar, Bookings, Tickets, and more! (CVE-2025-12408) , Jan 10, 2026
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026