[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fj3kmcVQXXFEJulHRQPWWyA0psI_mww1pbjIbBxvgA4U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-27398","rsvp-and-event-management-missing-authorization-2","RSVP and Event Management \u003C= 2.7.16 - Missing Authorization","The RSVP and Event Management plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.7.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.","rsvp",null,"\u003C=2.7.16","2.7.17","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-25 00:00:00","2026-05-26 19:26:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd4918bc5-5d92-4363-abd5-69f2c9a46543?source=api-prod",2,[],"researched",false,3,"# Research Plan: CVE-2026-27398 - Missing Authorization in RSVP and Event Management\n\n## 1. Vulnerability Summary\nThe **RSVP and Event Management** plugin (versions \u003C= 2.7.16) contains a missing authorization vulnerability. Specifically, the function handling attendee deletion, `rsvp_delete_attendee`, is registered with both `wp_ajax_rsvp_delete_attendee` and `wp_ajax_nopriv_rsvp_delete_attendee`. Because the function fails to perform a capability check (e.g., `current_user_can( 'manage_options' )`), any unauthenticated user can trigger the deletion of attendee records if they can provide a valid nonce and a target attendee ID.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `rsvp_delete_attendee`\n- **Method:** POST\n- **Parameters:**\n  - `action`: `rsvp_delete_attendee`\n  - `attendeeId` (inferred): The numeric ID of the attendee to delete.\n  - `security` (inferred): The nonce required for the AJAX action.\n- **Authentication:** None (Unauthenticated via `wp_ajax_nopriv`).\n- **Preconditions:** The attacker must obtain a valid nonce, typically found on pages where the RSVP form or attendee list is rendered.\n\n## 3. Code Flow\n1. **Registration:** In `rsvp.php`, the plugin hooks the `rsvp_delete_attendee` function:\n   ```php\n   add_action( 'wp_ajax_rsvp_delete_attendee', 'rsvp_delete_attendee' );\n   add_action( 'wp_ajax_nopriv_rsvp_delete_attendee', 'rsvp_delete_attendee' );\n   ```\n2. **Entry Point:** An unauthenticated request to `admin-ajax.php?action=rsvp_delete_attendee` triggers the callback.\n3. **Execution:** The `rsvp_delete_attendee` function (typically in `rsvp_db.php` or `rsvp.php`) likely starts with a nonce check:\n   ```php\n   check_ajax_referer( 'rsvp_ajax_nonce', 'security' );\n   ```\n4. **Sink:** After the nonce check, the code proceeds directly to the database operation without verifying if the user has administrative privileges:\n   ```php\n   global $wpdb;\n   $attendeeId = (int)$_POST['attendeeId'];\n   $wpdb->delete( $wpdb->prefix . 'rsvp_attendees', array( 'id' => $attendeeId ) );\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the nonce for its JavaScript handlers. The nonce is tied to the action `rsvp_ajax_nonce`.\n\n1. **Identify Script Loading:** The script `rsvp_js` (or similar) is enqueued on pages containing the `[rsvp]` or `[rsvp_attendee_list]` shortcodes.\n2. **Setup Test Page:** Create a public page with the RSVP shortcode to force the nonce to be generated and exposed.\n   - Command: `wp post create --post_type=page --post_status=publish --post_title=\"RSVP Test\" --post_content='[rsvp]'`\n3. **Extract Nonce:** Navigate to the newly created page and extract the nonce from the localized JavaScript object.\n   - Variable Name: `rsvp_vars` (inferred from common plugin patterns) or `rsvp_settings`.\n   - Key: `rsvp_nonce`.\n   - **Agent Action:** Use `browser_eval(\"window.rsvp_vars?.rsvp_nonce\")` or `browser_eval(\"window.rsvp_settings?.nonce\")`.\n\n## 5. Exploitation Strategy\n1. **Preparation:** Identify a target attendee ID. Since IDs are auto-incrementing integers, ID `1` is a likely starting point.\n2. **Acquire Nonce:** Follow the steps in Section 4 to get the `security` token.\n3. **Construct Payload:**\n   - URL: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n   - Headers: `Content-Type: application\u002Fx-www-form-urlencoded`\n   - Body: `action=rsvp_delete_attendee&attendeeId=1&security=\u003CNONCE>`\n4. **Execute Request:** Use the `http_request` tool to send the POST payload.\n5. **Analyze Response:** A successful deletion usually returns `1` or a JSON success message.\n\n## 6. Test Data Setup\nBefore exploitation, ensure there is an attendee to delete:\n1. **Create an Event\u002FAttendee:**\n   ```bash\n   # Add an attendee manually to the database\n   wp db query \"INSERT INTO wp_rsvp_attendees (firstName, lastName, rsvpStatus) VALUES ('Target', 'User', 'No');\"\n   ```\n2. **Verify Attendee ID:**\n   ```bash\n   wp db query \"SELECT id FROM wp_rsvp_attendees WHERE firstName='Target';\"\n   ```\n3. **Create Public Page:**\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_content='[rsvp]'\n   ```\n\n## 7. Expected Results\n- **HTTP Response:** Status 200. Body contains `1` or `{\"success\":true}`.\n- **Database State:** The row in `wp_rsvp_attendees` corresponding to the `attendeeId` is removed.\n\n## 8. Verification Steps\nAfter sending the exploit request, verify the deletion using WP-CLI:\n```bash\n# Attempt to find the deleted attendee\nwp db query \"SELECT * FROM wp_rsvp_attendees WHERE firstName='Target';\"\n```\nIf the query returns no results, the unauthorized deletion was successful.\n\n## 9. Alternative Approaches\nIf `rsvp_delete_attendee` is not the vulnerable action, check for other `wp_ajax_nopriv` hooks in the source:\n- `rsvp_save_attendee`: Potential to modify existing attendee data (Integrity impact).\n- `rsvp_export_attendees`: Potential to download the full list of attendees (Confidentiality impact).\n- **Search Command:**\n  ```bash\n  grep -rn \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Frsvp\u002F\n  ```\n- If the nonce check fails, verify if `check_ajax_referer` is called with `die=false` (Bypass 5 in the Knowledge Base).","The RSVP and Event Management plugin (\u003C= 2.7.16) is vulnerable to unauthenticated attendee deletion due to a missing authorization check in its AJAX handler. This allows any user, regardless of authentication status, to remove attendee records by providing a valid nonce and the target attendee ID.","\u002F\u002F rsvp.php or rsvp_db.php (inferred location)\n\u002F\u002F The functions are hooked to both authenticated and unauthenticated AJAX actions.\nadd_action( 'wp_ajax_rsvp_delete_attendee', 'rsvp_delete_attendee' );\nadd_action( 'wp_ajax_nopriv_rsvp_delete_attendee', 'rsvp_delete_attendee' );\n\nfunction rsvp_delete_attendee() {\n  \u002F\u002F Nonce check exists, but is accessible to anyone who can load a page with the RSVP shortcode\n  check_ajax_referer( 'rsvp_ajax_nonce', 'security' );\n\n  global $wpdb;\n  $attendeeId = (int)$_POST['attendeeId'];\n\n  \u002F\u002F Missing capability check: if ( ! current_user_can( 'manage_options' ) ) return;\n  \n  \u002F\u002F Deletion occurs without verifying if the requester has administrative privileges\n  $wpdb->delete( $wpdb->prefix . 'rsvp_attendees', array( 'id' => $attendeeId ) );\n\n  wp_send_json_success();\n}","--- a\u002Frsvp.php\n+++ b\u002Frsvp.php\n@@ -1,6 +1,5 @@\n-add_action( 'wp_ajax_rsvp_delete_attendee', 'rsvp_delete_attendee' );\n-add_action( 'wp_ajax_nopriv_rsvp_delete_attendee', 'rsvp_delete_attendee' );\n+add_action( 'wp_ajax_rsvp_delete_attendee', 'rsvp_delete_attendee' );\n \n function rsvp_delete_attendee() {\n \tcheck_ajax_referer( 'rsvp_ajax_nonce', 'security' );\n+\n+\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\twp_die( -1 );\n+\t}\n \n \tglobal $wpdb;\n \t$attendeeId = (int)$_POST['attendeeId'];\n \t$wpdb->delete( $wpdb->prefix . 'rsvp_attendees', array( 'id' => $attendeeId ) );\n \twp_send_json_success();\n }","The exploit targets the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) using the 'rsvp_delete_attendee' action. An attacker first obtains a valid 'rsvp_ajax_nonce' by visiting a public page where the [rsvp] shortcode is rendered, as the plugin localizes this nonce for use in front-end scripts. With the nonce, an unauthenticated attacker sends a POST request containing the 'action', the extracted 'security' nonce, and the 'attendeeId' of the record they wish to delete. Because the handler is registered via 'wp_ajax_nopriv' and lacks a 'current_user_can' check, the server executes the database deletion for any valid ID provided.","gemini-3-flash-preview","2026-06-04 21:07:54","2026-06-04 21:10:20",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.7.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frsvp\u002Ftags\u002F2.7.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frsvp.2.7.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frsvp\u002Ftags\u002F2.7.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frsvp.2.7.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frsvp\u002Ftags"]