CVE-2021-24371
CVE-2021-24371 is a low-severity vulnerability in Carrcommunications Rsvpmaker with a CVSS 3.x base score of 2.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-918.
Key facts
- Severity: Low (CVSS 3.x base score 2.7)
- CVSS v2: 4.0
- EPSS exploit prediction: 1% (59th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-918
- Affected product: Carrcommunications Rsvpmaker
- Published:
- Last modified:
Description
The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
Frequently asked questions
- What is CVE-2021-24371?
- The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
- How severe is CVE-2021-24371?
- CVE-2021-24371 has a CVSS 3.x base score of 2.7, rated low severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-24371 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (59th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-24371?
- CVE-2021-24371 affects Carrcommunications Rsvpmaker. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-24371?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-24371 published?
- CVE-2021-24371 was published on 2021-08-02 and last updated on 2026-06-17.
References
- https://codevigilant.com/disclosure/2021/wp-plugin-rsvpmaker/
- https://wpscan.com/vulnerability/63be225c-ebee-4cac-b43e-cf033ee7425d
Affected products (1)
- cpe:2.3:a:carrcommunications:rsvpmaker:*:*:*:*:*:wordpress:*:*
More vulnerabilities in Carrcommunications Rsvpmaker
- CVE-2024-50531 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in davidfcarr RSVPMaker for Toastmasters…
- CVE-2023-25054 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in David F. Carr RSVPMaker.This issue affects…
- CVE-2022-1768 — Critical (CVSS 9.8): The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and…
- CVE-2022-1505 — Critical (CVSS 9.8): The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and…
- CVE-2022-1453 — Critical (CVSS 9.8): The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and…
- CVE-2019-15646 — Critical (CVSS 9.8): The rsvpmaker plugin before 6.2 for WordPress has SQL injection.
All CVEs affecting Carrcommunications Rsvpmaker →
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →