Authentication Bypass in RegistrationMagic Plugin for WordPress
CVE-2023-2499

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Vendor: CVE Published:; 16 May 2023

Summary

The RegistrationMagic plugin for WordPress contains a security flaw that allows attackers to bypass authentication by exploiting insufficient verification during Google social login. This vulnerability can let malicious users gain unauthorized access to existing user accounts, including those of administrators, if they know the associated email addresses. Addressing this issue is crucial to safeguarding user data and ensuring the integrity of WordPress sites using the plugin.

Affected Version(s)

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login * <= 5.2.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/custom-registr...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2023
Vulnerability Reserved
May 3, 2023

Credit

Lana Codes