The Events Calendar plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 6.15.9. The sysinfo REST endpoint compares the provided key to the stored opt-in key using a loose comparison, allowing unauthenticated attackers to send a boolean value and obtain the full system report whenever Yes, automatically share my system information with The Events Calendar support team setting is enabled.
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
This Pillar covers several possibilities: