CVE-2025-24683
Published: 24 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-24683 is an SQL Injection vulnerability (CWE-89), stemming from improper neutralization of special elements used in an SQL command. It affects the WP Chill RSVP and Event Management plugin for WordPress, specifically the rsvp component, in versions from n/a through 2.7.14. The vulnerability was published on 2025-01-24.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). It can be exploited remotely over the network by authenticated users possessing high privileges, with low attack complexity and no requirement for user interaction. Exploitation enables high-impact confidentiality violations, such as data extraction, while achieving changed scope to affect other system components; integrity and availability impacts are low.
The Patchstack advisory provides further details on this vulnerability in WordPress RSVP and Event Management plugin version 2.7.14, accessible at https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-14-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote exploitation of the application (T1190) and direct arbitrary database queries for data extraction (T1213.006).