{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39536", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:16.908Z", "dateUpdated": "2026-04-29T09:52:02.098Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "rsvp", "product": "RSVP and Event Management", "vendor": "WP Chill", "versions": [{"changes": [{"at": "2.7.17", "status": "unaffected"}], "lessThanOrEqual": "2.7.16", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:00.523Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.<p>This issue affects RSVP and Event Management: from n/a through <= 2.7.16.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.098Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress RSVP and Event Management plugin <= 2.7.16 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:27:53.643587Z", "id": "CVE-2026-39536", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:27:59.658Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:27:53.643587Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:27:44.717Z"}}], "cna": {"title": "WordPress RSVP and Event Management plugin <= 2.7.16 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "WP Chill", "product": "RSVP and Event Management", "versions": [{"status": "affected", "changes": [{"at": "2.7.17", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.7.16"}], "packageName": "rsvp", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:29:00.523Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.<p>This issue affects RSVP and Event Management: from n/a through <= 2.7.16.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.908Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39536", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:27:59.658Z", "dateReserved": "2026-04-07T10:48:15.448Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:16.908Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16."}], "id": "CVE-2026-39536", "lastModified": "2026-04-24T18:07:25.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:26.360", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/rsvp/vulnerability/wordpress-rsvp-and-event-management-plugin-2-7-16-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.16]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.7.17"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "RSVP and Event Management", "source": "cna", "vendor": "WP Chill"}, "product": "rsvp_and_event_management", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-04-13T18:46:36.292681+00:00", "value": {"mitigation_remediation": ["Update WP Chill RSVP and Event Management to a version newer than 2.7.16 if available.", "If an update is not immediately available, disable or remove the plugin from the WordPress installation.", "Verify that no residual data exposure is present by testing the plugin\u2019s data access endpoints after changes.", "Monitor website logs for any attempts to access the plugin\u2019s data endpoints and investigate any anomalous activity."], "summary": {"action": "Apply Patch", "impact": "Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the WP Chill RSVP and Event Management WordPress plugin, versions from the earliest release through 2.7.16 inclusive. No other vendors or products are listed as impacted.", "description_and_impact": "The vulnerability in the WP Chill RSVP and Event Management plugin permits an unauthorized user to retrieve embedded sensitive data, exposing system information and compromising confidentiality. It originates from an improper handling of data within the plugin and is classified as CWE\u2011497, which denotes an improper constraint on the scope of a function leading to unintended information disclosure.", "risk_and_exploitability": "With a CVSS score of 5.3 the risk is moderate; the EPSS score is under 1% and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack path involves crafting a request that exploits the plugin\u2019s data retrieval functionality, but explicit attack vectors are not detailed in the description. Overall, the exploitability is considered low to moderate, yet the impact on sensitive data warrants timely remediation."}}}}, "created": "2026-04-08T19:30:24.181887+00:00", "updated": "2026-04-14T16:39:51.390374+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$rsvp_and_event_management"]}