CVE-2021-24371— RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-24371
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Import feature of the RSVPMaker WordPress plugin before 8.7.3 (/wp-admin/tools.php?page=rsvpmaker_export_screen) takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress Plugin RSVPMaker 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin RSVPMaker 中存在代码问题漏洞,该漏洞源于产品的 /wp-admin/tools.php?page=rsvpmaker_export_screen 页面的导入功能未能校验URL输入框的数据。攻击者可通过该漏洞扫描内网环
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-24371
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-24371
请登录查看更多情报信息。
- https://codevigilant.com/disclosure/2021/wp-plugin-rsvpmaker/x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-24371
Same Patch Batch · Unknown · 2021-08-02 · 26 CVEs total
| CVE-2021-24474 | Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (XSS) | |
| CVE-2021-24444 | TaxoPress < 3.0.7.2 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24425 | myStickymenu < 2.5.2 - Authenticated Stored XSS | |
| CVE-2021-24428 | RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS | |
| CVE-2021-24430 | Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE | |
| CVE-2021-24443 | Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography | |
| CVE-2021-24448 | Profile Builder < 3.4.8 - Authenticated Stored XSS | |
| CVE-2021-24450 | ProfilePress < 3.1.8 - Authenticated Stored XSS | |
| CVE-2021-24455 | Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24464 | YouTube Embed, Playlist and Popup < 2.3.9 - Contributor+ Stored XSS | |
| CVE-2021-24468 | Leaflet Map < 3.0.0 - Contributor+ Stored XSS | |
| CVE-2021-24470 | Yada Wiki < 3.4.1 - Contributor+ Stored XSS | |
| CVE-2021-24473 | User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR | |
| CVE-2021-24504 | WP LMS <= 1.1.2 - Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24476 | Steam Group Viewer <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24477 | Migrate Users <= 1.0.1 - CSRF to Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24478 | Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24479 | DrawBlog <= 0.90 - Authenticated Stored Cross-Site Scripting (XSS) | |
| CVE-2021-24480 | Event Geek <= 2.5.2 - Stored Cross-site Scripting (XSS) | |
| CVE-2021-24481 | Any Hostname <= 1.0.6 - Authenticated Stored Cross-Site Scripting (XSS) |
Showing top 20 of 26 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: RSVPMaker
- CVE-2023-25054
WordPress RSVPMarker Plugin <= 10.6.6 is vulnerable to Remot - CVE-2023-41652
WordPress RSVPMarker Plugin <= 10.6.6 is vulnerable to SQL I - CVE-2023-25047
WordPress RSVPMarker Plugin <= 9.9.3 is vulnerable to SQL In - CVE-2023-25045
WordPress RSVPMarker Plugin <= 9.9.3 is vulnerable to SQL In - CVE-2023-27616
WordPress RSVPMarker Plugin <= 10.6.6 is vulnerable to Cross
Same vendor: Unknown
- CVE-2026-6433
Custom CSS JS PHP <= 2.0.7 - Unauthenticated SQL Injection t - CVE-2026-4935
SureTriggers < 1.1.23 – Unauthenticated SQLi - CVE-2026-5335
Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosu - CVE-2026-5337
Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary - CVE-2026-5306
Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2021-24371
No comments yet