Plataforma
wordpress
Componente
rsvpmaker
Corrigido em
9.2.7
CVE-2022-1505 is a critical SQL Injection vulnerability affecting the RSVPMaker plugin for WordPress. This vulnerability allows unauthenticated attackers to directly manipulate SQL queries, potentially leading to unauthorized data access and manipulation. The issue impacts versions of the plugin up to and including 9.2.6. A fix is available via plugin update.
The SQL Injection vulnerability in RSVPMaker allows an attacker to bypass authentication and execute arbitrary SQL queries against the WordPress database. This can lead to the complete compromise of sensitive data, including user credentials, personal information, and potentially even the entire WordPress database. Attackers could use this to gain administrative access to the WordPress site, deface the website, or steal valuable data for malicious purposes. The lack of authentication required to exploit this vulnerability significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2022-1505 was publicly disclosed on May 10, 2022. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the plugin's popularity. The vulnerability's unauthenticated nature increases the likelihood of exploitation. It is not currently listed on CISA KEV, but its critical severity warrants close monitoring.
Websites using the RSVPMaker plugin, particularly those running older versions (≤9.2.6), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "rsvpmaker-api-endpoints.php" /var/www/html/• wordpress / composer / npm:
wp plugin list | grep RSVPMaker• wordpress / composer / npm:
wp plugin update RSVPMaker --all• generic web:
curl -I https://example.com/wp-content/plugins/rsvpmaker/rsvpmaker-api-endpoints.php | grep SQLdisclosure
Status do Exploit
EPSS
3.44% (percentil 87%)
Vetor CVSS
The primary mitigation for CVE-2022-1505 is to immediately update the RSVPMaker plugin to a version that includes the security fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL queries targeting the rsvpmaker-api-endpoints.php file. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Monitor WordPress logs for suspicious SQL activity.
Actualice el plugin RSVPMaker a la última versión disponible. La versión 9.2.7 o superior corrige esta vulnerabilidad de inyección SQL. Puede actualizar desde el panel de administración de WordPress o descargando la última versión desde el repositorio oficial.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2022-1505 is a critical SQL Injection vulnerability in the RSVPMaker WordPress plugin, allowing attackers to steal database information.
You are affected if you are using RSVPMaker plugin versions up to and including 9.2.6. Immediate action is required.
Update the RSVPMaker plugin to the latest version. If immediate upgrade isn't possible, implement WAF rules to filter malicious SQL queries.
While no active exploitation has been publicly confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Refer to the RSVPMaker plugin's official website or WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.