Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MicahBlu RSVP ME rsvp-me allows SQL Injection.This issue affects RSVP ME: from n/a through <= 1.9.9.
AnalysisAI
SQL injection in the MicahBlu RSVP ME WordPress plugin (versions up to and including 1.9.9) allows remote unauthenticated attackers to inject crafted SQL statements that read sensitive database contents and partially impact integrity of backend systems. The CVSS 9.3 score reflects a network-reachable, no-privilege, no-interaction attack with scope change, and an EPSS of 37.74% (97th percentile) indicates substantially elevated exploitation probability relative to the broader CVE population, though no public exploit identified at time of analysis. The flaw was reported through Patchstack's WordPress plugin audit program.
Technical ContextAI
RSVP ME is a WordPress plugin (CPE cpe:2.3:a:micahblu:rsvp_me:*:*:*:*:*:wordpress:*:*) that provides event RSVP functionality and stores guest/event data in the WordPress MySQL database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input is concatenated or interpolated into SQL queries without proper parameterization, prepared statements, or use of WordPress's $wpdb->prepare() escaping APIs. Because WordPress plugins share the global database with core tables (wp_users, wp_options, wp_usermeta), a successful SQLi against the plugin's queries can extend beyond plugin-specific tables to the entire WordPress backend, which is consistent with the Scope:Changed designation in the CVSS vector.
RemediationAI
No vendor-released patch identified at time of analysis; the advisory describes the affected range as up to and including 1.9.9 with no fixed version published in the supplied data, so administrators should monitor the Patchstack advisory (audit@patchstack.com) and the plugin's WordPress.org listing for a release above 1.9.9. As a primary compensating control, deactivate and remove the RSVP ME plugin from WordPress installations until a patched version is published, since the plugin is unauthenticated-network-reachable and currently unfixed. If removal is not operationally acceptable, place the site behind a WordPress-aware WAF (e.g. Patchstack mTLS rules, Wordfence, or Cloudflare managed WordPress ruleset) with virtual-patch signatures targeting SQLi against RSVP ME endpoints, accepting the trade-off that WAF coverage depends on payload signatures and may miss obfuscated injections; additionally restrict access to plugin-handled URLs (typically under /wp-admin/admin-ajax.php with RSVP ME actions, or the public RSVP submission shortcode pages) via IP allowlist where feasible, with the side effect of breaking legitimate public RSVP submissions.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today