CVE-2021-24943: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24943 affects the Registrations for the Events Calendar WordPress plugin versions before 2.7.6. This security flaw was discovered by Krzysztof Zając and publicly disclosed on November 8, 2021. The vulnerability is an unauthenticated SQL injection that exists in the plugin's AJAX functionality (WPScan).

The vulnerability stems from improper input validation in the rtecsendunregisterlink AJAX action. Specifically, the plugin fails to sanitize and escape the eventid parameter before using it in SQL statements. This vulnerability has been assigned a CVSS score of 8.6 (High) and is classified as a SQL Injection (SQLI) vulnerability, falling under the OWASP Top 10 category A1: Injection and CWE-89 (WPScan).

The vulnerability allows both authenticated and unauthenticated users to perform SQL injection attacks. Attackers can exploit this flaw to access and potentially extract sensitive information from the WordPress database, including user email addresses and other stored data (WPScan, CVE).

The vulnerability has been fixed in version 2.7.6 of the Registrations for the Events Calendar plugin. Users are strongly advised to update to this version or later to protect their installations from potential attacks (WPScan).