WordPress RSVPMarker Plugin <= 10.6.6 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The RSVPMaker plugin for WordPress versions 10.6.6 and earlier contains a stored cross-site scripting (XSS) vulnerability in the admin interface. An authenticated user with administrator privileges can inject arbitrary JavaScript code that is stored and later executed in the context of other admin users' sessions. The vulnerability resides in the plugin's event creation or email marketing features where user input is not properly sanitized before being stored and displayed. [1]

Exploitation

An attacker must have administrator-level access to the WordPress site. They can craft a malicious payload and inject it into a vulnerable field (e.g., event description, email content) within the RSVPMaker plugin. Once saved, the payload is stored and will execute when another administrator views the affected page, such as the event list or email preview. No additional user interaction beyond viewing the page is required for the stored script to run.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any administrator who accesses the compromised page. This can lead to session hijacking, theft of sensitive data (e.g., cookies, authentication tokens), defacement, or further privilege escalation within the WordPress admin panel. The attack is persistent as the malicious script remains stored until removed.

Mitigation

The vulnerability is fixed in RSVPMaker versions after 10.6.6. Users should update to the latest version, which as of the reference is 12.0.2 [1]. No workarounds are documented; the only mitigation is to apply the update. If unable to update, administrators should avoid using the plugin or restrict access to trusted users only.