CVE-2025-48278 HIGH

CVE-2025-48278: WordPress RSVPMarker plugin <= 11.5.6 - SQL Injection Vulnerability

Vendor Davidfcarr
Product RSVPMarker
Weakness CWE-89 · SQLi
Published May 19, 2025
Last update April 28, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker rsvpmaker allows SQL Injection.This issue affects RSVPMarker : from n/a through <= 11.5.6.

Explanation of Vulnerability in Simple Terms

02Summary

RSVPMarker versions 11.5.6 and earlier contain a SQL injection vulnerability in database query handling. An attacker with low-level user access can inject malicious SQL commands to read sensitive data from the database, including confidential information across the application. The vulnerability also allows limited disruption of service availability.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the database, including information outside their normal access scope.

Potential impact on your site

04Site Impact

Unauthorized access to database contents; potential exposure of user data, configuration, and other sensitive records.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

May 19, 2025 CVE published
April 28, 2026 Record updated