Authentication Bypass in RegistrationMagic Plugin for WordPress
CVE-2023-2499

9.8CRITICAL

Key Information:

Vendor

Wordpress
Status
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vendor
CVE Published:
16 May 2023

What is CVE-2023-2499?

The RegistrationMagic plugin for WordPress contains a security flaw that allows attackers to bypass authentication by exploiting insufficient verification during Google social login. This vulnerability can let malicious users gain unauthorized access to existing user accounts, including those of administrators, if they know the associated email addresses. Addressing this issue is crucial to safeguarding user data and ensuring the integrity of WordPress sites using the plugin.

Affected Version(s)

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login * <= 5.2.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/custom-registr...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.
CVE-2023-2499 : Authentication Bypass in RegistrationMagic Plugin for WordPress