CVE-2022-1768
CRITICAL EXPLOITED NUCLEIRSVPMaker < 9.3.2 - Unauthenticated SQL Injection via rsvpmaker-email.php
Title source: llmExploitation Summary
CVE-2022-1768 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to, and including, 9.3.2. Please note that this is separate from CVE-2022-1453 & CVE-2022-1505.
Nuclei Templates (1)
WordPress RSVPMaker <=9.3.2 - SQL Injection
HIGHVERIFIEDby edoardottt
References (5)
Core 5
Core References
Exploit, Third Party Advisory
https://gist.github.com/Xib3rR4dAr/441d6bb4a5b8ad4b25074a49210a02cc
Exploit, Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2725322%40rsvpmaker&new=2725322%40rsvpmaker&sfp_email=&sfph_mail=
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1768
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/c1d02646-271a-4079-8a47-00b4029e9c1f?source=cve
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/176549/WordPress-RSVPMaker-9.3.2-SQL-Injection.html
Scores
CVSS v3
9.8
EPSS
0.1200
EPSS Percentile
95.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2023-12-20
CWE
CWE-89
Status
published
Products (2)
carrcommunications/rsvpmaker
< 9.3.2
davidfcarr/RSVPMaker
< 9.3.2
Published
Jun 13, 2022
Tracked Since
Feb 18, 2026