[CVE-2022-1505] Unauthenticated SQL injection in RSVPmaker version 9.2.6


The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6

Additional information

In the stripesuccess API (which does not require authentication), it takes a parameter directly from a users request called rsvp_id as such:

$rsvp_id = $vars['rsvp_id'];

This value is the used (in the same function) directly in an SQL query unsanitized:

$wpdb->query( 'UPDATE ' . $wpdb->prefix . "rsvpmaker SET amountpaid='$paid' WHERE id=$rsvp_id " );


The fix for the vulnerability in this case is quite simple, just make sure that the rsvp_id is always an integer:

$rsvp_id = intval($vars['rsvp_id']);

It was fixed in the following commit: https://github.com/davidfcarr/rsvpmaker/commit/3bd8e7d83530d2a75fdfd9df34e078ccbc8a9418