Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker rsvpmaker allows SQL Injection.This issue affects RSVPMarker : from n/a through <= 11.6.7.
Published: 2025-04-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL Injection flaw exists in the RSVPMarker WordPress plugin up to version 11.6.7. The plugin fails to properly escape special characters before including user‑supplied data in SQL commands. The flaw can be exploited to run arbitrary SQL queries against the site’s database. Successful exploitation could allow an attacker to read sensitive information, modify content, or potentially gain deeper database privileges.

Affected Systems

WordPress sites using the RSVPMarker plugin from any released version up to and including 11.6.7 are affected. The vendor is davidfcarr and the product is RSVPMarker. No additional product or operating system details are provided. Users should verify whether the plugin is installed and its version.

Risk and Exploitability

The CVSS base score is 9.3, indicating critical severity. The EPSS score for this vulnerability is currently below 1 %, suggesting that exploitation is unlikely but still possible. It is not listed in the CISA KEV catalog. The attack vector is remote: a malicious actor can trigger the injection by issuing crafted requests to the plugin’s web interface from any location with network access to the WordPress site. No authentication or privilege escalation is required beyond having access to the site’s publicly exposed plugin endpoints.

Generated by OpenCVE AI on May 1, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RSVPMarker plugin to version 11.6.8 or later, which contains the fix for the SQL injection vulnerability.
  • If an immediate update is not possible, temporarily disable the RSVPMarker plugin or restrict its access to trusted administrators only.
  • Implement input validation and parameterized SQL queries for any custom code that interacts with the RSVPMarker plugin to mitigate similar injection risks.
  • Deploy a web application firewall or similar monitoring solution to detect and block suspicious SQL injection attempts targeting the WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9449 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker allows SQL Injection. This issue affects RSVPMarker : from n/a through 11.4.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker allows SQL Injection. This issue affects RSVPMarker : from n/a through 11.4.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker rsvpmaker allows SQL Injection.This issue affects RSVPMarker : from n/a through <= 11.6.7.
Title WordPress RSVPMarker plugin <= 11.4.8 - SQL Injection vulnerability WordPress RSVPMarker plugin <= 11.6.7 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 02 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker allows SQL Injection. This issue affects RSVPMarker : from n/a through 11.4.8.
Title WordPress RSVPMarker plugin <= 11.4.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Davidfcarr Rsvpmarker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:08.688Z

Reserved: 2025-03-31T10:05:28.896Z

Link: CVE-2025-31552

cve-icon Vulnrichment

Updated: 2025-04-02T13:22:13.766Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:49.760

Modified: 2026-04-23T15:27:57.183

Link: CVE-2025-31552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:30:05Z

Weaknesses