CVE-2022-1054

Name of the Vulnerable Software and Affected Versions RSVP and Event Management Plugin WordPress plugin versions prior to 2.7.8

Description The issue arises from the lack of authorization checks when exporting entries in the plugin, with the export function hooked to the init action. This allows unauthenticated attackers to call the function and retrieve personally identifiable information (PII) such as first name, last name, and email address of users registered for events.

Recommendations For versions prior to 2.7.8, update to version 2.7.8 or later to resolve the issue. As a temporary workaround, consider disabling the export function hooked to the init action until a patch is available. Restrict access to the export functionality to minimize the risk of exploitation. Avoid using the export function in the affected plugin until the issue is resolved.