CVE-2022-1453

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
WordfenceCNA
9.8 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
carrcommunicationsrsvpmaker
𝑥
< 9.2.6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/davidfcarr/rsvpmaker/commit/bfb189f49af7ab0d34499a2da772e3266f72167d
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2714389%40rsvpmaker&new=2714389%40rsvpmaker&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/6031edec-4274-4e42-9e3a-ce0c94958b17?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1453
https://github.com/davidfcarr/rsvpmaker/commit/bfb189f49af7ab0d34499a2da772e3266f72167d
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2714389%40rsvpmaker&new=2714389%40rsvpmaker&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/6031edec-4274-4e42-9e3a-ce0c94958b17?source=cve
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1453