CVE-2023-7170: 
WordPress vulnerability analysis and mitigation

The EventON-RSVP WordPress plugin before version 2.9.5 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly disclosed on December 29, 2023, and was assigned CVE-2023-7170. This security issue affects the EventON-RSVP plugin for WordPress installations (WPScan).

The vulnerability stems from improper sanitization and escaping of certain parameters before they are output back to the page. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability could be exploited against high-privilege users such as administrators, potentially allowing attackers to execute malicious scripts in the context of the victim's browser session. This could lead to unauthorized actions being performed on behalf of the administrator or the theft of sensitive information (WPScan).

The vulnerability has been fixed in version 2.9.5 of the EventON-RSVP plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).