Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.
AnalysisAI
Information disclosure in WP Chill RSVP and Event Management plugin versions up to 2.7.16 exposes sensitive system data to unauthenticated remote attackers via unprotected endpoints. The vulnerability allows retrieval of embedded sensitive information without authentication or user interaction, affecting WordPress sites using the affected plugin versions. With EPSS scoring of 0.02% and no public exploit code identified, real-world exploitation risk is minimal despite the network-accessible attack vector.
Technical ContextAI
The vulnerability stems from improper access controls on sensitive data endpoints within the RSVP and Event Management WordPress plugin. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) indicates the plugin fails to properly restrict access to protected resources, allowing unauthenticated actors to query endpoints that return sensitive system or application metadata. This is a common pattern in WordPress plugins where REST API endpoints or internal AJAX handlers lack proper capability checks, permission verification, or nonce validation. The affected product (cpe:2.3:a:wp_chill:rsvp_and_event_management:*:*:*:*:*:*:*:*) is a WordPress plugin distributed via the WordPress plugin repository.
RemediationAI
Update WP Chill RSVP and Event Management plugin to a version newer than 2.7.16; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve for the specific patched version release. If an immediate update is not feasible, disable the plugin or restrict network access to affected endpoints via Web Application Firewall rules until a patch is available. WordPress administrators should verify that any sensitive data (such as user attendee lists or event metadata) exposed through the plugin has not been compromised.
More in Rsvp And Event Management
View allThe RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting
Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unaut
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20191