PT-2022-13920 · WordPress · Rsvpmaker
Published
2022-05-10
·
Updated
2024-01-15
·
CVE-2022-1505
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
RSVPMaker plugin for WordPress versions up to and including 9.2.6
Description
The issue is related to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user-supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This allows unauthenticated attackers to steal sensitive information from the database.
Recommendations
For versions up to and including 9.2.6, update to a version that includes the necessary SQL escaping and parameterization to prevent SQL Injection attacks. As a temporary workaround, consider restricting access to the rsvpmaker-api-endpoints.php file to minimize the risk of exploitation.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rsvpmaker