CVE-2024-12711 is a vulnerability classified under CWE-862 (Missing Authorization) found in the RSVP and Event Management WordPress plugin developed by wpchill. This plugin, widely used for managing events and RSVPs on WordPress sites, contains several AJAX functions—specifically bulk_delete_attendees() and bulk_delete_questions()—that lack proper capability checks. This missing authorization allows unauthenticated attackers to invoke these AJAX endpoints to delete attendees and questions associated with events, thereby compromising the integrity of event data. Additionally, authenticated users without appropriate privileges can update the order of questions via the question menu, further indicating insufficient access control. The vulnerability affects all versions up to and including 2.7.13. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, with no direct confidentiality or availability effects. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. The vulnerability could be exploited remotely by attackers to disrupt event management data, potentially causing operational issues for organizations relying on this plugin for event coordination.

The primary impact of CVE-2024-12711 is unauthorized modification and deletion of event-related data within WordPress sites using the RSVP and Event Management plugin. This can lead to loss of attendee records and event questions, undermining the reliability and trustworthiness of event management processes. For organizations, this could result in operational disruptions, loss of user trust, and potential reputational damage, especially for those relying heavily on event data for business or community engagement. Since the vulnerability allows unauthenticated remote exploitation, attackers can cause damage without needing credentials, increasing the risk of automated or opportunistic attacks. However, the absence of confidentiality or availability impact limits the scope to data integrity issues. The lack of known exploits reduces immediate risk but does not preclude future exploitation. Organizations with high volumes of event management activities or sensitive event data are at greater risk of operational impact.

1. Monitor for official patches or updates from wpchill and apply them promptly once released. 2. Until patches are available, restrict access to the vulnerable AJAX endpoints by implementing web application firewall (WAF) rules that block unauthorized requests targeting bulk_delete_attendees() and bulk_delete_questions() functions. 3. Implement custom capability checks or hooks in WordPress to enforce strict authorization on these AJAX functions, ensuring only trusted roles can invoke them. 4. Limit the number of users with authenticated access to the WordPress admin area and enforce strong authentication mechanisms. 5. Regularly audit event data integrity and logs to detect unauthorized deletions or modifications early. 6. Consider isolating or disabling the RSVP and Event Management plugin if event management is not critical or if alternative secure solutions exist. 7. Educate site administrators about the risks and signs of exploitation related to this vulnerability.