Carrcommunications: Security Vulnerabilities
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6.
CVSS Score
9.8
EPSS Score
0.034
Published
2022-05-10
The RSVPMaker Excel WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/phpexcel/PHPExcel/Shared/JAMA/docs/download.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-09-10
The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
CVSS Score
2.7
EPSS Score
0.002
Published
2021-08-02
The rsvpmaker plugin before 5.6.4 for WordPress has SQL injection.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-08-27
The rsvpmaker plugin before 6.2 for WordPress has SQL injection.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-08-27
Page 2