{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39536", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:16.908Z", "dateUpdated": "2026-04-08T08:30:16.908Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "rsvp", "product": "RSVP and Event Management", "vendor": "WP Chill", "versions": [{"changes": [{"at": "2.7.17", "status": "unaffected"}], "lessThanOrEqual": "2.7.16", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:00.523Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.<p>This issue affects RSVP and Event Management: from n/a through <= 2.7.16.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.908Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress RSVP and Event Management plugin <= 2.7.16 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16."}], "id": "CVE-2026-39536", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:26.360", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.16]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.7.17"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "RSVP and Event Management", "source": "cna", "vendor": "WP Chill"}, "product": "rsvp_and_event_management", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-04-08T10:38:23.853137+00:00", "value": {"mitigation_remediation": ["Upgrade WP Chill:RSVP and Event Management to a version newer than 2.7.16.", "If an upgrade is not possible, restrict the plugin\u2019s usage so that only privileged users can access it.", "Disable the plugin entirely if it is not required for site functionality.", "Verify that no other sensitive information remains exposed by scanning the plugin files."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "WP Chill:RSVP and Event Management plugin for WordPress, versions up through 2.7.16.", "description_and_impact": "The WordPress RSVP and Event Management plugin contains a flaw that permits the retrieval of embedded sensitive information. Classified under CWE\u2011497, the vulnerability enables an unauthorized control sphere to access sensitive system data, thereby compromising data confidentiality.", "risk_and_exploitability": "No CVSS score is available and the EPSS score is not provided; the vulnerability is not listed in the CISA KEV catalog, indicating it may not yet be widely exploited. Based on the description, it is inferred that the flaw can be exploited via the plugin\u2019s web interface, requiring no authentication. An attacker with network access to the WordPress site could trigger the exposed endpoint to retrieve embedded sensitive data, posing a significant confidentiality risk."}}}}, "created": "2026-04-08T19:30:24.181887+00:00", "updated": "2026-04-08T19:42:41.221185+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$rsvp_and_event_management"]}