Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the WP Chill RSVP and Event Management plugin permits an unauthorized user to retrieve embedded sensitive data, exposing system information and compromising confidentiality. It originates from an improper handling of data within the plugin and is classified as CWE‑497, which denotes an improper constraint on the scope of a function leading to unintended information disclosure.

Affected Systems

The affected product is the WP Chill RSVP and Event Management WordPress plugin, versions from the earliest release through 2.7.16 inclusive. No other vendors or products are listed as impacted.

Risk and Exploitability

With a CVSS score of 5.3 the risk is moderate; the EPSS score is under 1% and the vulnerability is not listed in CISA’s KEV catalog. The likely attack path involves crafting a request that exploits the plugin’s data retrieval functionality, but explicit attack vectors are not detailed in the description. Overall, the exploitability is considered low to moderate, yet the impact on sensitive data warrants timely remediation.

Generated by OpenCVE AI on April 13, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Chill RSVP and Event Management to a version newer than 2.7.16 if available.
  • If an update is not immediately available, disable or remove the plugin from the WordPress installation.
  • Verify that no residual data exposure is present by testing the plugin’s data access endpoints after changes.
  • Monitor website logs for any attempts to access the plugin’s data endpoints and investigate any anomalous activity.

Generated by OpenCVE AI on April 13, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill rsvp And Event Management
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill rsvp And Event Management

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.
Title WordPress RSVP and Event Management plugin <= 2.7.16 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Wordpress Wordpress
Wpchill Rsvp And Event Management
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.098Z

Reserved: 2026-04-07T10:48:15.448Z

Link: CVE-2026-39536

cve-icon Vulnrichment

Updated: 2026-04-13T15:27:44.717Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:26.360

Modified: 2026-04-24T18:07:25.343

Link: CVE-2026-39536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:39:51Z

Weaknesses