WordPress Plugin Vulnerabilities

RSVPMaker < 9.2.6 - Unauthenticated SQLi

Description

The plugin is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database

Affects Plugins

Plugin icon
rsvpmaker
Fixed in 9.2.6

References

CVE
CVE-2022-1453
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1453

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Tobias Kay Dala (oxnan)
Verified
Yes
WPVDB ID
f29a8bbe-d2ad-4a5b-b5af-c283a9233222

Timeline

Publicly Published
2022-04-26 (about 4 years ago)
Added
2022-04-26 (about 4 years ago)
Last Updated
2022-04-27 (about 4 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP DS FAQ Plus - Unspecified SQL Injection
Published
2018-01-28
Title
User Control - Unauthenticated SQL Injection
Published
2021-04-26
Title
Car Seller - Auto Classifieds Script <= 2.1.0 - Unauthenticated SQL Injection
Published
2026-01-08
Title
Lead Capturing Pages <= 2.5 - Unauthenticated SQL Injection
Published
2023-01-17
Title
Simple URLs < 115 - Subscriber+ SQLi