Skip to main content

Rsvp And Event Management CVE-2026-39536

| EUVDEUVD-2026-20191 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 16:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20191
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.

AnalysisAI

Information disclosure in WP Chill RSVP and Event Management plugin versions up to 2.7.16 exposes sensitive system data to unauthenticated remote attackers via unprotected endpoints. The vulnerability allows retrieval of embedded sensitive information without authentication or user interaction, affecting WordPress sites using the affected plugin versions. With EPSS scoring of 0.02% and no public exploit code identified, real-world exploitation risk is minimal despite the network-accessible attack vector.

Technical ContextAI

The vulnerability stems from improper access controls on sensitive data endpoints within the RSVP and Event Management WordPress plugin. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) indicates the plugin fails to properly restrict access to protected resources, allowing unauthenticated actors to query endpoints that return sensitive system or application metadata. This is a common pattern in WordPress plugins where REST API endpoints or internal AJAX handlers lack proper capability checks, permission verification, or nonce validation. The affected product (cpe:2.3:a:wp_chill:rsvp_and_event_management:*:*:*:*:*:*:*:*) is a WordPress plugin distributed via the WordPress plugin repository.

RemediationAI

Update WP Chill RSVP and Event Management plugin to a version newer than 2.7.16; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve for the specific patched version release. If an immediate update is not feasible, disable the plugin or restrict network access to affected endpoints via Web Application Firewall rules until a patch is available. WordPress administrators should verify that any sensitive data (such as user attendee lists or event metadata) exposed through the plugin has not been compromised.

Share

CVE-2026-39536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy