CVE-2022-1054

MEDIUM NUCLEI

RSVP and Event Management Plugin < 2.7.8 - Unauthenticated Sensitive Data Exposure via Export Function

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-1054 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events

Nuclei Templates (1)

WordPress RSVP and Event Management <2.7.8 - Missing Authorization
MEDIUMby Akincibor

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/95a5fad1-e823-4571-8640-19bf5436578d

Scores

CVSS v3 5.3
EPSS 0.0360
EPSS Percentile 88.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-862
Status published
Products (1)
wpchill/rsvp_and_event_management < 2.7.8
Published Apr 18, 2022
Tracked Since Feb 18, 2026