Unauthenticated SQL Injection in RSVPMaker Plugin for WordPress
CVE-2022-1453
7.5HIGH
Summary
The RSVPMaker plugin for WordPress presents a significant security risk due to its susceptibility to unauthenticated SQL Injection. This vulnerability arises from inadequate SQL escaping and parameterization of user input within the rsvpmaker-util.php file. As a result, malicious actors can manipulate SQL queries, gaining unauthorized access to the database and potentially exfiltrating sensitive information from versions of the plugin up to and including 9.2.5.
Affected Version(s)
RSVPMaker * <= 9.2.5
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Tobias Kay Dalå (oxnan)