CVE-2021-24371

Name of the Vulnerable Software and Affected Versions RSVPMaker WordPress plugin versions prior to 8.7.3

Description The issue is related to the Import feature of the RSVPMaker WordPress plugin, specifically with the "/wp-admin/tools.php?page=rsvpmaker export screen" endpoint. It is caused by insufficient validation of incoming requests, allowing a remote attacker to perform a Server-Side Request Forgery (SSRF) attack. This could enable a high-privilege user to scan the internal network.

Recommendations For versions prior to 8.7.3, update to version 8.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/wp-admin/tools.php?page=rsvpmaker export screen" endpoint to minimize the risk of exploitation. Additionally, restrict the use of the curl function with unvalidated URL inputs until the issue is resolved.