CVE-2025-12898
Description
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Pretty Google Calendar plugin for WordPress lacks a capability check, exposing the Google API key to unauthenticated attackers.
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the pgcal_ajax_handler() function. This flaw affects all versions up to and including 2.0.0. The function is intended for internal AJAX requests but does not verify whether the user has the appropriate permissions before processing requests [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.