RegistrationMagic < 5.0.1.6 - Admin+ SQL Injection
CVE-2021-24862

7.2HIGH

Key Information:

Vendor
Wordpress
Status
Registrationmagic – Custom Registration Forms, User Registration And User Login Plugin
Vendor
CVE Published:
10 January 2022

Summary

The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue

Affected Version(s)

RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin 5.0.1.6

References

https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-...
x_refsource_MISC
http://packetstormsecurity.com/files/165746/WordPress-Reg...
x_refsource_MISC
https://github.com/Hacker5preme/Exploits/tree/main/Wordpr...
x_refsource_MISC

EPSS Score

95% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

JrXnm
.