Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WP Chill RSVP and Event Management allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects RSVP and Event Management: from n/a through 2.7.16.
AnalysisAI
Missing authorization in the WP Chill RSVP and Event Management WordPress plugin (versions through 2.7.16) enables unauthenticated remote attackers to perform unauthorized write operations by bypassing access control checks. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully remote, zero-complexity, unauthenticated exploitation is possible against default plugin installations. Impact is limited to partial integrity degradation (I:L) with no confidentiality or availability loss; no public exploit has been identified at time of analysis and EPSS is very low at 0.03% (8th percentile).
Technical ContextAI
The affected software is a WordPress plugin - WP Chill RSVP and Event Management - that handles event creation and guest RSVP workflows. The root cause is CWE-862 (Missing Authorization), a pattern common in WordPress plugins where AJAX handlers or REST API endpoints execute sensitive operations without verifying the caller's WordPress capability level (e.g., checking current_user_can()). The CPE string cpe:2.3:a:wp_chill:rsvp_and_event_management:*:*:*:*:*:*:*:* covers all versions up to and including 2.7.16. The Patchstack advisory classifies this as a Broken Access Control vulnerability, consistent with incorrectly configured security levels in plugin-defined action handlers.
RemediationAI
Update the RSVP and Event Management plugin to a version beyond 2.7.16 as soon as a patched release is available from WP Chill; the exact fixed version is not independently confirmed from the provided data - administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-broken-access-control-vulnerability for a confirmed fix version. If immediate update is not possible, consider temporarily deactivating the plugin to eliminate the attack surface entirely, accepting the trade-off of lost RSVP functionality. Alternatively, deploy a WAF rule to block unauthenticated POST requests to plugin-specific AJAX endpoints (wp-admin/admin-ajax.php with plugin action parameters), noting this may block legitimate guest RSVP submissions. Patch availability per vendor advisory has not been independently confirmed from the supplied data.
More in Rsvp And Event Management
View allThe RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting
Information disclosure in WP Chill RSVP and Event Management plugin versions up to 2.7.16 exposes sensitive system data
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31756
GHSA-ffph-c23r-mr7q