CVE-2021-38337: 
WordPress vulnerability analysis and mitigation

The RSVPMaker Excel WordPress plugin was found to contain a Reflected Cross-Site Scripting vulnerability (CVE-2021-38337) affecting versions up to and including 1.1. The vulnerability was discovered in September 2021 and stems from a reflected $SERVER["PHPSELF"] value in the ~/phpexcel/PHPExcel/Shared/JAMA/docs/download.php file (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Under CVSS v2.0, it received a base score of 4.3 (Medium) with vector (AV:N/AC:M/Au:N/C:N/I:P/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability allows attackers to inject arbitrary web scripts into the application. When successfully exploited, this could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (NVD).

Users should upgrade to a version newer than 1.1 of the RSVPMaker Excel WordPress plugin. If upgrading is not immediately possible, it is recommended to implement additional security controls to filter and validate user input, particularly in areas handling $SERVER["PHPSELF"] values (NVD).