CVE-2025-12898
📋 TL;DR
The Pretty Google Calendar WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to retrieve the Google API key from plugin settings. This affects all WordPress sites using plugin versions up to 2.0.0. Attackers can steal API credentials without any authentication.
💻 Affected Systems
- Pretty Google Calendar WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain Google API key, potentially accessing associated Google services, modifying calendars, or using the key for other attacks against Google services.
Likely Case
Attackers steal the Google API key, potentially incurring costs through API abuse or accessing calendar data if permissions are overly broad.
If Mitigated
Limited to API key exposure only, with no further access if key permissions are properly scoped and monitored.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint with no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.1 or later
Vendor Advisory: https://wordpress.org/plugins/pretty-google-calendar/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Pretty Google Calendar. 4. Click 'Update Now' if available. 5. If no update shows, manually download latest version from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate pretty-google-calendar
Block Vulnerable Endpoint
linuxUse web application firewall or .htaccess to block access to the vulnerable AJAX handler
RewriteEngine On
RewriteRule ^wp-admin/admin-ajax\.php\?action=pgcal_ajax_handler - [F,L]
🧯 If You Can't Patch
- Immediately revoke and regenerate the Google API key in Google Cloud Console
- Implement IP whitelisting for the plugin's admin interface if possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version. If version is 2.0.0 or earlier, you are vulnerable.Check Version:
wp plugin get pretty-google-calendar --field=versionVerify Fix Applied:
Verify plugin version is 2.0.1 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /wp-admin/admin-ajax.php with action=pgcal_ajax_handler from unauthenticated users
Network Indicators:
- HTTP GET requests to WordPress AJAX endpoint with pgcal_ajax_handler parameter from external IPs
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=pgcal_ajax_handler*" AND user="-"