CVE-2019-15646

Vulnerability

The RSVPMaker plugin for WordPress versions prior to 6.2 contains a SQL injection vulnerability. The vulnerable code path allows injection of arbitrary SQL queries via unsanitized input. According to the plugin repository [1], the current version is 12.0.2, indicating the vulnerability was fixed in version 6.2.

Exploitation

An attacker can exploit this vulnerability without authentication by sending crafted HTTP requests to the WordPress instance. No special privileges or user interaction is required. The exact parameter and location are not disclosed in the available references, but typical SQL injection in WordPress plugins occurs through improperly escaped query parameters.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the WordPress database. This can lead to unauthorized access to sensitive data, including user credentials, post content, and other private information. Full database compromise is possible, potentially resulting in privilege escalation or data exfiltration.

Mitigation

The vulnerability was fixed in RSVPMaker version 6.2. Users should update to version 6.2 or later immediately. The WordPress plugin repository [1] shows the current version is 12.0.2, which includes the fix. No known workarounds are documented for this vulnerability.