Skip to main content

RSVP and Event Management CVE-2026-27398

| EUVDEUVD-2026-31756 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-ffph-c23r-mr7q
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:50 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in WP Chill RSVP and Event Management allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects RSVP and Event Management: from n/a through 2.7.16.

AnalysisAI

Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).

Technical ContextAI

The affected software is a WordPress plugin - WP Chill RSVP and Event Management - that handles event creation and guest RSVP workflows. The root cause is CWE-862 (Missing Authorization), a pattern common in WordPress plugins where AJAX handlers or REST API endpoints execute sensitive operations without verifying the caller's WordPress capability level (e.g., checking current_user_can()). The CPE string cpe:2.3:a:wp_chill:rsvp_and_event_management:*:*:*:*:*:*:*:* covers all versions up to and including 2.7.16. The Patchstack advisory classifies this as a Broken Access Control vulnerability, consistent with incorrectly configured security levels in plugin-defined action handlers.

RemediationAI

Update the RSVP and Event Management plugin to a version beyond 2.7.16 as soon as a patched release is available from WP Chill; the exact fixed version is not independently confirmed from the provided data - administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-broken-access-control-vulnerability for a confirmed fix version. If immediate update is not possible, consider temporarily deactivating the plugin to eliminate the attack surface entirely, accepting the trade-off of lost RSVP functionality. Alternatively, deploy a WAF rule to block unauthenticated POST requests to plugin-specific AJAX endpoints (wp-admin/admin-ajax.php with plugin action parameters), noting this may block legitimate guest RSVP submissions. Patch availability per vendor advisory has not been independently confirmed from the supplied data.

Share

CVE-2026-27398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy