CVE-2022-1054
published 2022-04-18CVE-2022-1054: The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export…
PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
3.60%
88.0th percentile
The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpchill | rsvp_and_event_management | < 2.7.8 | 2.7.8 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j4p9-r4c6-88m5: The RSVP and Event Management Plugin WordPress plugin before 2
ghsa_unreviewed·2022-04-19
CVE-2022-1054 [MEDIUM] CWE-862 GHSA-j4p9-r4c6-88m5: The RSVP and Event Management Plugin WordPress plugin before 2
The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2020-1054 [HIGH] CWE-787 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains a privilege escalation vulnerability when the Windows kernel-mode driver fails to properly handle objects in memory. Successful exploitation allows an attacker to execute code in kernel mode.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1054
Remediation Due Date: 2022-05-03
No detection rules found.
Nuclei
WordPress RSVP and Event Management <2.7.8 - Missing Authorization
nuclei·CVSS 5.3
CVE-2022-1054 [MEDIUM] WordPress RSVP and Event Management <2.7.8 - Missing Authorization
WordPress RSVP and Event Management <2.7.8 - Missing Authorization
WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hooked to the init action. An attacker can potentially retrieve sensitive information such as first name, last name, and email address of users registered for events,
Template:
id: CVE-2022-1054
info:
name: WordPress RSVP and Event Management <2.7.8 - Missing Authorization
author: Akincibor
severity: medium
description: WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hoo
2022-04-18
Published