cleantalk
Vulnerabilities and Security Researches

RSVPMaker, CVE-2021-24371

CVE, Research URL

CVE-2021-24371

Home page URL

Security reports for RSVPMaker

Application

RSVPMaker

Published on
Aug 02, 2021
Research Description
The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
Affected versions
Min -, max 8.7.4.
Status
vulnerable
Previous vulnerability researches
RSVPMaker for Toastmasters (CVE-2024-50531) , Nov 02, 2024
RSVPMaker Volunteer Roles (CVE-2025-23531) , Jan 29, 2025
RSVPMaker (CVE-2023-25047) , Jun 07, 2024
RSVPMaker (CVE-2019-15646) , Jun 07, 2024
RSVPMaker (CVE-2022-1768) , Jun 07, 2024
New vulnerability
Canonical Attachments (CVE-2025-32543) , Apr 11, 2025
CG Scroll To Top (CVE-2025-31399) , Apr 11, 2025
Ultimate WP Mail (CVE-2025-32694) , Apr 11, 2025
MyBookProgress by Stormhill Media (CVE-2025-30982) , Apr 11, 2025
Social Bookmarking RELOADED (CVE-2025-31393) , Apr 11, 2025