CVE-2018-21004

Vulnerability

The RSVPMaker plugin for WordPress versions prior to 5.6.4 contains a SQL injection vulnerability [1]. The flaw exists in an unsanitized SQL query executed by the plugin when processing user-supplied input, likely through a POST or GET parameter. No authentication or specific configuration is required for the vulnerable code path to be reachable by unauthenticated users.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to a WordPress site running an affected version of RSVPMaker [1]. The attack does not require authentication, meaning any remote attacker who can reach the WordPress instance can exploit it. The attacker supplies malicious SQL payloads in a request parameter that is directly used in a database query without proper sanitization or parameterization.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the WordPress database [1]. This can lead to unauthorized reading of sensitive data (e.g., user credentials, event attendee information), modification or deletion of database records, and potentially full compromise of the WordPress site. The attacker may also be able to escalate privileges or gain administrative access to the site.

Mitigation

The vulnerability is fixed in RSVPMaker version 5.6.4 [1]. Users should update to at least that version immediately. No known workarounds are available. The plugin is actively maintained, and the latest version (12.0.2) includes this and other security fixes [1]. There is no indication that this CVE has been added to the CISA Known Exploited Vulnerabilities catalog.