PatchSiren cyber security CVE debrief
CVE-2026-27398 WP Chill CVE debrief
A Missing Authorization vulnerability in the WP Chill RSVP and Event Management WordPress plugin allows attackers to exploit incorrectly configured access control security levels. The vulnerability affects all versions from n/a through 2.7.16. The issue was published in the CVE database on May 25, 2026, with a subsequent modification on May 26, 2026. The vulnerability is classified as CWE-862 (Missing Authorization) and carries a CVSS 3.1 score of 5.3 (MEDIUM severity), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N—indicating network-accessible, low-complexity attacks that require no privileges or user interaction, resulting in low integrity impact with no confidentiality or availability impact. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no known ransomware campaign use has been identified. The vendor attribution is currently marked as requiring review, with Patchstack identified as a reference domain candidate.
- Vendor
- WP Chill
- Product
- RSVP and Event Management
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using the WP Chill RSVP and Event Management plugin; security teams managing WordPress deployments; managed service providers hosting WordPress environments
Technical summary
The RSVP and Event Management plugin for WordPress contains a Missing Authorization vulnerability (CWE-862) in versions through 2.7.16. The vulnerability stems from incorrectly configured access control security levels, allowing attackers to perform unauthorized actions. The CVSS 3.1 score of 5.3 reflects network-based exploitation with no authentication requirements, though impact is limited to integrity (low) with no direct confidentiality or availability impact.
Defensive priority
medium
Recommended defensive actions
- Upgrade RSVP and Event Management plugin to a version newer than 2.7.16 when available
- Review and restrict access controls on WordPress installations using affected plugin versions
- Monitor vendor security advisories from WP Chill for patch availability
- Implement principle of least privilege for WordPress user accounts
- Consider Web Application Firewall (WAF) rules to restrict unauthorized access to plugin functionality pending patch availability
Evidence notes
CVSS vector and score sourced from NVD record. CWE-862 classification confirmed via NVD weaknesses field. Vendor attribution marked as low confidence and requiring review per source metadata.
Official resources
-
CVE-2026-27398 CVE record
CVE.org
-
CVE-2026-27398 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The CVE record indicates this vulnerability was disclosed through coordinated vulnerability disclosure channels, with Patchstack serving as the primary vulnerability identification source.