CVE-2026-27398

Vulnerability

A missing authorization vulnerability exists in the WP Chill RSVP and Event Management plugin for WordPress, versions through 2.7.16. The plugin fails to properly enforce access control checks on certain functions, allowing exploitation of incorrectly configured access control security levels. This affects all installations using the plugin up to and including version 2.7.16 [1].

Exploitation

An attacker with no special privileges requires only network access to a WordPress site running the vulnerable plugin version. By crafting requests to the affected endpoint(s) without proper authorization or nonce checks, an attacker can trigger actions that should be restricted to higher-privileged users. No authentication or user interaction is needed, making the attack simple to execute [1].

Impact

Successful exploitation allows an unprivileged attacker to perform actions reserved for higher-privileged users, such as modifying event settings or accessing sensitive data. The vulnerability leads to unauthorized functionality execution and potential data exposure, with a low severity impact but notable in mass-exploit campaigns [1].

Mitigation

The vendor has released version 2.7.17 which fixes the vulnerability. Users should update immediately. If updating is not possible, ask your hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins. No other workarounds have been published [1].