Multiple vulnerabilities in RegistrationMagic – Custom Registration Forms and User Login plugin for WordPress
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2020-9456 CVE-2020-9454 CVE-2020-9455 CVE-2020-9458 CVE-2020-9457 |
| CWE-ID | CWE-264 CWE-352 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
RegistrationMagic – Custom Registration Forms and User Login Web applications / Modules and components for CMS |
| Vendor | Registrationmagic |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU25801
Risk: High
CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9456
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insufficient capability checks or nonces for functions in the plugin used for administrative purposes. A remote user can send a specially crafted request with the "rm_slug" $_POST parameter set to "rm_user_edit" and the "user_id" parameter set to the user’s ID (which can typically be obtained from the user’s profile page) and change the user’s role to administrator.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRegistrationMagic – Custom Registration Forms and User Login: 2.5.3 - 4.6.0.3
External linkshttp://wpvulndb.com/vulnerabilities/10116/
http://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-registrationmagic-plugin/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site request forgery
EUVDB-ID: #VU25802
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9454
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote authenticated attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as modificate settings.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRegistrationMagic – Custom Registration Forms and User Login: 2.5.3 - 4.6.0.3
External linkshttp://wpvulndb.com/vulnerabilities/10116/
http://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-registrationmagic-plugin/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site request forgery
EUVDB-ID: #VU25803
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9455
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the "send_email_ajax" function. A remote authenticated attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRegistrationMagic – Custom Registration Forms and User Login: 2.5.3 - 4.6.0.3
External linkshttp://wpvulndb.com/vulnerabilities/10116/
http://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-registrationmagic-plugin/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU25804
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9458
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the "export" function lack access control or a nonce check. A remote authenticated attacker can send a specially crafted request with the "rm_slug" $_POST parameter set to "rm_form_export", which cause the plugin to export every form on the site, including everything that had ever been submitted to any of these forms (though this does not include login credentials).
MitigationInstall updates from vendor's website.
Vulnerable software versionsRegistrationMagic – Custom Registration Forms and User Login: 2.5.3 - 4.6.0.3
External linkshttp://wpvulndb.com/vulnerabilities/10116/
http://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-registrationmagic-plugin/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU25805
Risk: High
CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-9457
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to unprotected "upload_template()","import_form_first_ajax()","view()" and "set_default_form()" AJAX actions. A remote authenticated attacker can upload a customized "vulnerable" registration form, then use the data export vulnerability to grab the information they need to launch the next step: by using yet another unprotected AJAX action, they can set an existing form on the site to expire after 0 submissions and replace it with their newly uploaded form. Once the vulnerable form is active, the attacker can register as an administrator.
If no forms are published, but the plugin’s “Magic Button” functionality is enabled, an attacker can also use an unprotected AJAX action to set their uploaded form as the “Default” form, which can be submitted from anywhere on the site.
Install updates from vendor's website.
Vulnerable software versionsRegistrationMagic – Custom Registration Forms and User Login: 2.5.3 - 4.6.0.3
External linkshttp://wpvulndb.com/vulnerabilities/10116/
http://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-registrationmagic-plugin/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
