SB2020030606 - Multiple vulnerabilities in RegistrationMagic – Custom Registration Forms and User Login plugin for WordPress

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020030606

SB2020030606 - Multiple vulnerabilities in RegistrationMagic – Custom Registration Forms and User Login plugin for WordPress

Published: March 6, 2020 Updated: March 6, 2020

Security Bulletin ID SB2020030606
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 40% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-9456)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to insufficient capability checks or nonces for functions in the plugin used for administrative purposes. A remote user can send a specially crafted request with the "rm_slug" $_POST parameter set to "rm_user_edit" and the "user_id" parameter set to the user’s ID (which can typically be obtained from the user’s profile page) and change the user’s role to administrator.


2) Cross-site request forgery (CVE-ID: CVE-2020-9454)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote authenticated attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as modificate settings.


3) Cross-site request forgery (CVE-ID: CVE-2020-9455)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the "send_email_ajax" function. A remote authenticated attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


4) Information disclosure (CVE-ID: CVE-2020-9458)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the "export" function lack access control or a nonce check. A remote authenticated attacker can send a specially crafted request with the "rm_slug" $_POST parameter set to "rm_form_export", which cause the plugin to export every form on the site, including everything that had ever been submitted to any of these forms (though this does not include login credentials).


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-9457)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to unprotected "upload_template()","import_form_first_ajax()","view()" and "set_default_form()" AJAX actions. A remote authenticated attacker can upload a customized "vulnerable" registration form, then use the data export vulnerability to grab the information they need to launch the next step: by using yet another unprotected AJAX action, they can set an existing form on the site to expire after 0 submissions and replace it with their newly uploaded form. Once the vulnerable form is active, the attacker can register as an administrator.

If no forms are published, but the plugin’s “Magic Button” functionality is enabled, an attacker can also use an unprotected AJAX action to set their uploaded form as the “Default” form, which can be submitted from anywhere on the site.


Remediation

Install update from vendor's website.

References