CVE-2022-1768
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
13/06/2022
Last modified:
08/04/2026
Description
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to, and including, 9.3.2. <br />
<br />
Please note that this is separate from CVE-2022-1453 & CVE-2022-1505.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:carrcommunications:rsvpmaker:*:*:*:*:*:wordpress:*:* | 9.3.2 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c1d02646-271a-4079-8a47-00b4029e9c1f?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1768
- http://packetstormsecurity.com/files/176549/WordPress-RSVPMaker-9.3.2-SQL-Injection.html
- https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c1d02646-271a-4079-8a47-00b4029e9c1f?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1768