Vulnerability Description
The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Carrcommunications | Rsvpmaker | < 8.7.3 |
Related Weaknesses (CWE)
References
- https://codevigilant.com/disclosure/2021/wp-plugin-rsvpmaker/ExploitPatchThird Party Advisory
- https://wpscan.com/vulnerability/63be225c-ebee-4cac-b43e-cf033ee7425dExploitThird Party Advisory
- https://codevigilant.com/disclosure/2021/wp-plugin-rsvpmaker/ExploitPatchThird Party Advisory
- https://wpscan.com/vulnerability/63be225c-ebee-4cac-b43e-cf033ee7425dExploitThird Party Advisory
FAQ
What is CVE-2021-24371?
CVE-2021-24371 is a vulnerability with a CVSS score of 2.7 (LOW). The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's...
How severe is CVE-2021-24371?
CVE-2021-24371 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24371?
Check the references section above for vendor advisories and patch information. Affected products include: Carrcommunications Rsvpmaker.