CVE-2026-39536

RSVP and Event Management <= 2.7.16 - Unauthenticated Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.7.17
Patched in
55d
Time to patch

Description

The RSVP and Event Management plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.7.16
PublishedMarch 12, 2026
Last updatedMay 5, 2026
Affected pluginrsvp

What Changed in the Fix

Changes introduced in v2.7.17

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

The vulnerability in **RSVP and Event Management <= 2.7.16** is an **Unauthenticated Information Exposure**. Based on the plugin's architecture and the sensitive nature of RSVP data, this vulnerability likely resides in an AJAX endpoint or a search handler that fails to properly restrict access to t…

Show full research plan

The vulnerability in RSVP and Event Management <= 2.7.16 is an Unauthenticated Information Exposure. Based on the plugin's architecture and the sensitive nature of RSVP data, this vulnerability likely resides in an AJAX endpoint or a search handler that fails to properly restrict access to the attendee database or configuration settings.

The most common "Information Exposure" vectors in RSVP plugins occur when the "Find Attendee" or "Guest List" features can be abused to leak the full registry of guests, including private details like emails, passcodes, or custom question answers.

1. Vulnerability Summary

  • Vulnerability: Unauthenticated Sensitive Information Exposure.
  • Likely Location: admin-ajax.php handlers (e.g., rsvp_find_attendee or rsvp_search_attendees) or a direct export trigger in init.
  • Cause: The plugin provides a mechanism for guests to find themselves on a guest list. If this mechanism allows wildcard searching (using % or empty strings) and returns the full attendee record (including emails and passcodes) without a valid session or sufficient authorization, an attacker can dump the entire event database.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (for AJAX-based search) or the front-end page containing the [rsvp] shortcode.
  • Action (Inferred): rsvp_find_attendee (This is the standard action used in this plugin for the first step of the RSVP process).
  • Parameters: firstName, lastName, and potentially passcode.
  • Authentication: None (Unauthenticated).
  • Preconditions: At least one attendee must exist in the database.

3. Code Flow

  1. The plugin registers an AJAX action for logged-out users: add_action('wp_ajax_nopriv_rsvp_find_attendee', '...');.
  2. The handler retrieves firstName and lastName from the $_POST or $_GET request.
  3. The handler performs a database query using these parameters: SELECT * FROM {$wpdb->prefix}attendees WHERE firstName LIKE %s AND lastName LIKE %s.
  4. Vulnerability: If the plugin does not sanitize for SQL wildcards (%) or allows empty search terms, it returns multiple records.
  5. Information Exposure: The returned data includes sensitive fields such as email, passcode, or answers to custom questions that should remain private.

4. Nonce Acquisition Strategy

The plugin uses wp_localize_script to pass configuration to the front-end.

  • JS Variable: window.rsvp_plugin_vars
  • Potential Nonce Key: rsvp_plugin_vars.nonce or rsvp_plugin_vars.ajax_nonce (to be verified via browser).

Strategy:

  1. Identify the page containing the [rsvp] shortcode.
  2. Create a test page if necessary:
    wp post create --post_type=page --post_status=publish --post_title="RSVP Test" --post_content='[rsvp]'
  3. Navigate to the page and extract the nonce using browser_eval:
    browser_eval("window.rsvp_plugin_vars?.nonce || window.rsvp_plugin_vars?.ajax_nonce")

5. Exploitation Strategy

Step 1: Wildcard Attendee Search (Primary Vector)

Attempt to dump the guest list by providing wildcards to the search endpoint.

  • Request URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=rsvp_find_attendee&firstName=%25&lastName=%25&nonce=[EXTRACTED_NONCE]
    
    (Note: %25 is the URL-encoded version of the SQL wildcard %)

Step 2: Sensitive Information Extraction

If the wildcard search works, check the response body for:

  • email addresses of guests.
  • passcode values (allowing the attacker to hijack anyone's RSVP).
  • id values (useful for further targeted queries).

Step 3: Unauthenticated Export (Secondary Vector)

Test if the export functionality fixed in earlier versions has regressed.

  • Request URL: http://localhost:8080/wp-admin/admin-ajax.php?action=rsvp_export_attendees
  • Method: GET

6. Test Data Setup

  1. Create Attendees: Use WP-CLI to populate the database with several guests.
    # This assumes a custom table 'wp_attendees'. If the plugin uses a CPT, use 'wp post create'.
    # For this plugin, it typically uses a custom table.
    wp db query "INSERT INTO wp_attendees (firstName, lastName, email, passcode) VALUES ('John', 'Doe', 'john@example.com', 'SECRET123'), ('Jane', 'Smith', 'jane@example.com', 'PASS456');"
    
  2. Ensure Plugin Settings: Ensure the RSVP feature is active.
  3. Place Shortcode: Place [rsvp] on a public page to ensure nonces and scripts are loaded.

7. Expected Results

  • Vulnerable Response: A JSON object or HTML fragment containing the names, emails, and/or passcodes of all attendees created in the setup phase.
  • Success Indicator: Receiving more than one attendee record when only searching for a specific term (or using wildcards).

8. Verification Steps

After the HTTP exploit, verify the exposed data against the database:

# Check if the data returned by the exploit matches the database content
wp db query "SELECT firstName, lastName, email, passcode FROM wp_attendees;"

9. Alternative Approaches

  • Parameter Fuzzing: If firstName/lastName don't work, try search, term, or q.
  • REST API Check: Check if the plugin registered REST routes under /wp-json/rsvp/v1/attendees without a permission_callback.
    # Check for REST routes
    http_request "http://localhost:8080/wp-json/wp/v2/types" 
    # Look for RSVP-related routes in the index
    
  • Direct Access: Some versions of the plugin stored exported files in wp-content/uploads/rsvp/. Check if directory listing or direct file access is possible for generated CSVs.
Research Findings
Static analysis — not yet PoC-verified

Summary

The RSVP and Event Management plugin for WordPress exposes sensitive attendee information through its search AJAX endpoint. Unauthenticated attackers can exploit this by using SQL wildcards to bypass name filters, allowing them to dump the entire guest list including names, emails, and RSVP passcodes.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/rsvp/2.7.16/assets/admin/css/jquery-ui.css /home/deploy/wp-safety.org/data/plugin-versions/rsvp/2.7.17/assets/admin/css/jquery-ui.css
--- /home/deploy/wp-safety.org/data/plugin-versions/rsvp/2.7.16/assets/admin/css/jquery-ui.css	2025-04-17 11:25:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/rsvp/2.7.17/assets/admin/css/jquery-ui.css	2026-03-09 09:22:34.000000000 +0000
@@ -1,1843 +1,1843 @@
-/*
- * jQuery UI CSS Framework @VERSION
- *
- * Copyright 2010, AUTHORS.txt (http://jqueryui.com/about)
- * Dual licensed under the MIT or GPL Version 2 licenses.
- * http://jquery.org/license
- *
- * http://docs.jquery.com/UI/Theming/API
- */
...
 (truncated)

Exploit Outline

1. Locate a public page where the [rsvp] shortcode is embedded to extract the necessary AJAX nonce from the 'rsvp_plugin_vars' JavaScript object. 2. Send an unauthenticated POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'rsvp_find_attendee'. 3. Provide the SQL wildcard character '%' (URL-encoded as '%25') for both the 'firstName' and 'lastName' parameters. 4. Analyze the server's response, which will contain the full attendee database including sensitive fields like email addresses and private RSVP passcodes.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.