CVE-2021-24371: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24371 affects the RSVPMaker WordPress plugin versions before 8.7.3. This Server-Side Request Forgery (SSRF) vulnerability was discovered by Shreya Pohekar of Codevigilant and publicly disclosed on June 29, 2021. The vulnerability exists in the Import feature of the plugin, specifically in the /wp-admin/tools.php?page=rsvpmakerexportscreen path (CodeVigilant, WPScan).

The vulnerability stems from the Import feature's handling of URL inputs where it calls curl without proper validation to ensure the URL is remote. The issue is located in the rsvpmakerexportscreen function within rsvpmaker-admin.php at line 729, where the code executes wpremoteget($url) without proper validation. The vulnerability has been assigned a CVSS score of 4.1 (medium) and is classified under CWE-918 (WPScan, CodeVigilant).

When exploited, this vulnerability allows high-privilege users to perform internal network scanning through SSRF attacks. The attacker could potentially use the Import feature to probe and gather information about the internal network infrastructure (WPScan).

The vulnerability was fixed in RSVPMaker version 8.7.3. Users are advised to update to this version or later to mitigate the risk. The fix was implemented through a code change that adds proper URL validation (WPScan).