RSVP and Event Management <= 2.7.16 - Unauthenticated Information Exposure
Description
The RSVP and Event Management plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.7.17
Source Code
WordPress.org SVNThe vulnerability in **RSVP and Event Management <= 2.7.16** is an **Unauthenticated Information Exposure**. Based on the plugin's architecture and the sensitive nature of RSVP data, this vulnerability likely resides in an AJAX endpoint or a search handler that fails to properly restrict access to t…
Show full research plan
The vulnerability in RSVP and Event Management <= 2.7.16 is an Unauthenticated Information Exposure. Based on the plugin's architecture and the sensitive nature of RSVP data, this vulnerability likely resides in an AJAX endpoint or a search handler that fails to properly restrict access to the attendee database or configuration settings.
The most common "Information Exposure" vectors in RSVP plugins occur when the "Find Attendee" or "Guest List" features can be abused to leak the full registry of guests, including private details like emails, passcodes, or custom question answers.
1. Vulnerability Summary
- Vulnerability: Unauthenticated Sensitive Information Exposure.
- Likely Location:
admin-ajax.phphandlers (e.g.,rsvp_find_attendeeorrsvp_search_attendees) or a direct export trigger ininit. - Cause: The plugin provides a mechanism for guests to find themselves on a guest list. If this mechanism allows wildcard searching (using
%or empty strings) and returns the full attendee record (including emails and passcodes) without a valid session or sufficient authorization, an attacker can dump the entire event database.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php(for AJAX-based search) or the front-end page containing the[rsvp]shortcode. - Action (Inferred):
rsvp_find_attendee(This is the standard action used in this plugin for the first step of the RSVP process). - Parameters:
firstName,lastName, and potentiallypasscode. - Authentication: None (Unauthenticated).
- Preconditions: At least one attendee must exist in the database.
3. Code Flow
- The plugin registers an AJAX action for logged-out users:
add_action('wp_ajax_nopriv_rsvp_find_attendee', '...');. - The handler retrieves
firstNameandlastNamefrom the$_POSTor$_GETrequest. - The handler performs a database query using these parameters:
SELECT * FROM {$wpdb->prefix}attendees WHERE firstName LIKE %s AND lastName LIKE %s. - Vulnerability: If the plugin does not sanitize for SQL wildcards (
%) or allows empty search terms, it returns multiple records. - Information Exposure: The returned data includes sensitive fields such as
email,passcode, or answers to custom questions that should remain private.
4. Nonce Acquisition Strategy
The plugin uses wp_localize_script to pass configuration to the front-end.
- JS Variable:
window.rsvp_plugin_vars - Potential Nonce Key:
rsvp_plugin_vars.nonceorrsvp_plugin_vars.ajax_nonce(to be verified via browser).
Strategy:
- Identify the page containing the
[rsvp]shortcode. - Create a test page if necessary:
wp post create --post_type=page --post_status=publish --post_title="RSVP Test" --post_content='[rsvp]' - Navigate to the page and extract the nonce using
browser_eval:browser_eval("window.rsvp_plugin_vars?.nonce || window.rsvp_plugin_vars?.ajax_nonce")
5. Exploitation Strategy
Step 1: Wildcard Attendee Search (Primary Vector)
Attempt to dump the guest list by providing wildcards to the search endpoint.
- Request URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: %25 is the URL-encoded version of the SQL wildcard %)action=rsvp_find_attendee&firstName=%25&lastName=%25&nonce=[EXTRACTED_NONCE]
Step 2: Sensitive Information Extraction
If the wildcard search works, check the response body for:
emailaddresses of guests.passcodevalues (allowing the attacker to hijack anyone's RSVP).idvalues (useful for further targeted queries).
Step 3: Unauthenticated Export (Secondary Vector)
Test if the export functionality fixed in earlier versions has regressed.
- Request URL:
http://localhost:8080/wp-admin/admin-ajax.php?action=rsvp_export_attendees - Method: GET
6. Test Data Setup
- Create Attendees: Use WP-CLI to populate the database with several guests.
# This assumes a custom table 'wp_attendees'. If the plugin uses a CPT, use 'wp post create'. # For this plugin, it typically uses a custom table. wp db query "INSERT INTO wp_attendees (firstName, lastName, email, passcode) VALUES ('John', 'Doe', 'john@example.com', 'SECRET123'), ('Jane', 'Smith', 'jane@example.com', 'PASS456');" - Ensure Plugin Settings: Ensure the RSVP feature is active.
- Place Shortcode: Place
[rsvp]on a public page to ensure nonces and scripts are loaded.
7. Expected Results
- Vulnerable Response: A JSON object or HTML fragment containing the names, emails, and/or passcodes of all attendees created in the setup phase.
- Success Indicator: Receiving more than one attendee record when only searching for a specific term (or using wildcards).
8. Verification Steps
After the HTTP exploit, verify the exposed data against the database:
# Check if the data returned by the exploit matches the database content
wp db query "SELECT firstName, lastName, email, passcode FROM wp_attendees;"
9. Alternative Approaches
- Parameter Fuzzing: If
firstName/lastNamedon't work, trysearch,term, orq. - REST API Check: Check if the plugin registered REST routes under
/wp-json/rsvp/v1/attendeeswithout apermission_callback.# Check for REST routes http_request "http://localhost:8080/wp-json/wp/v2/types" # Look for RSVP-related routes in the index - Direct Access: Some versions of the plugin stored exported files in
wp-content/uploads/rsvp/. Check if directory listing or direct file access is possible for generated CSVs.
Summary
The RSVP and Event Management plugin for WordPress exposes sensitive attendee information through its search AJAX endpoint. Unauthenticated attackers can exploit this by using SQL wildcards to bypass name filters, allowing them to dump the entire guest list including names, emails, and RSVP passcodes.
Security Fix
@@ -1,1843 +1,1843 @@ -/* - * jQuery UI CSS Framework @VERSION - * - * Copyright 2010, AUTHORS.txt (http://jqueryui.com/about) - * Dual licensed under the MIT or GPL Version 2 licenses. - * http://jquery.org/license - * - * http://docs.jquery.com/UI/Theming/API - */ ... (truncated)
Exploit Outline
1. Locate a public page where the [rsvp] shortcode is embedded to extract the necessary AJAX nonce from the 'rsvp_plugin_vars' JavaScript object. 2. Send an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'rsvp_find_attendee'. 3. Provide the SQL wildcard character '%' (URL-encoded as '%25') for both the 'firstName' and 'lastName' parameters. 4. Analyze the server's response, which will contain the full attendee database including sensitive fields like email addresses and private RSVP passcodes.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.