WordPress RSVPMarker Plugin <= 10.6.6 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The RSVPMaker plugin for WordPress versions 10.6.6 and earlier contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in input handling where user-supplied data is not properly sanitized before being stored and later displayed. No authentication is required to trigger the vulnerable code path [1].

Exploitation

An attacker can craft a malicious request containing JavaScript payloads and submit it to any publicly accessible input field processed by the plugin. Since the vulnerability is unauthenticated, no login or special privileges are needed. The injected script is stored in the database and executed in the browser of any user who views the affected page, including administrators.

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's browser. This can lead to session cookie theft, page defacement, redirection to malicious sites, or further attacks such as privilege escalation if an administrator views the compromised page. The attacker gains the ability to perform actions on behalf of the victim without authentication.

Mitigation

The vulnerability is fixed in RSVPMaker version 10.6.7 and later. Users should update to the latest available version (12.0.2) from the WordPress plugin repository [1]. No workarounds have been published. The plugin is actively maintained, and updating is the recommended course of action.