CVE-2025-5733
📋 TL;DR
The Modern Events Calendar Lite WordPress plugin versions up to 7.21.9 expose full web server path information to unauthenticated attackers through improper validation when exporting calendars. This information disclosure vulnerability doesn't directly compromise systems but provides reconnaissance data that could aid other attacks. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Modern Events Calendar Lite WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with another vulnerability (like file inclusion or directory traversal) to achieve remote code execution or sensitive data exposure.
Likely Case
Attackers gather reconnaissance information about server structure to plan targeted attacks against the WordPress installation.
If Mitigated
Limited to information disclosure only, with no direct system compromise if other vulnerabilities are patched.
🎯 Exploit Status
Simple HTTP request to trigger path disclosure, but requires additional vulnerability for actual compromise.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.22.0 or later
Vendor Advisory: https://webnus.net/dox/modern-events-calendar/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Modern Events Calendar Lite. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable calendar export functionality
allTemporarily disable the vulnerable export feature until patching
Web application firewall rule
allBlock requests to calendar export endpoints
🧯 If You Can't Patch
- Disable or remove the Modern Events Calendar Lite plugin entirely
- Implement strict web application firewall rules to block suspicious requests to calendar endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Modern Events Calendar Lite version. If version is 7.21.9 or lower, system is vulnerable.Check Version:
wp plugin list --name='modern-events-calendar-lite' --field=versionVerify Fix Applied:
Confirm plugin version is 7.22.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /wp-content/plugins/modern-events-calendar-lite/app/ endpoints with export parameters
- Multiple failed attempts to access server path information
Network Indicators:
- HTTP requests containing 'export' or 'id' parameters targeting the Modern Events Calendar plugin endpoints
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/modern-events-calendar-lite/" AND (query="*export*" OR query="*id=*"))