RSVP and Event Management < 2.7.14 – Missing Authorization | CVE 2024-12711 | Plugin Vulnerabilities

Description

The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX functions like bulk_delete_attendees() and bulk_delete_questions() in all versions up to, and including, 2.7.13. This makes it possible for unauthenticated attackers to delete questions and attendees and for authenticated users to update question menu orders.

Affects Plugins

Fixed in 2.7.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d234212a-2019-477d-81d1-b2acc2321055

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

6a178113-9e6d-4acf-aae7-f75430010717

Timeline

Publicly Published

2025-01-06 (about 1 year ago)

Added

2025-01-06 (about 1 year ago)

Last Updated

2025-01-07 (about 1 year ago)

Other

Published

Title

Published

2026-02-23

Title

SiteGuard WP Plugin <= 1.7.9 - Missing Authorization

Published

2025-12-11

Title

Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion

Published

2025-12-22

Title

Beaver Builder – WordPress Page Builder < 2.9.4.2 - Subscriber+ Arbitrary Beaver Builder Post Update

Published

2024-07-19

Title

Getwid – Gutenberg Blocks < 2.0.11 - Missing Authentication to MailChimp API key update

Published

2024-07-11

Title

Packlink PRO shipping module < 3.4.7 - Missing Authorization