CVE-2022-1453

CRITICAL EXPLOITED NUCLEI

RSVPMaker <= 9.2.5 - Unauthenticated SQL Injection in rsvpmaker-util.php

Title source: llm

Exploitation Summary

CVE-2022-1453 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5.

Nuclei Templates (1)

RSVPMaker <= 9.2.5 - SQL Injection

CRITICALVERIFIEDby Shivam Kamboj

References (4)

Core 4

Core References

Patch

https://github.com/davidfcarr/rsvpmaker/commit/bfb189f49af7ab0d34499a2da772e3266f72167d

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2714389%40rsvpmaker&new=2714389%40rsvpmaker&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6031edec-4274-4e42-9e3a-ce0c94958b17?source=cve

Third Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1453

Scores

CVSS v3 9.8

EPSS 0.0691

EPSS Percentile 93.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-03-31

CWE

CWE-89

Status published

Products (2)

carrcommunications/rsvpmaker < 9.2.6

davidfcarr/RSVPMaker < 9.2.5

Published May 10, 2022

Tracked Since Feb 18, 2026