The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.
The plugin does not perform proper validation of the password reset token before applying it to change the user's password. An attacker without any authentication can initiate a password reset procedure for any account and bypass the token verification mechanism. As a result, it is possible to set a new password for a selected user, including an administrator, without knowing the original token or current password.
An attacker can gain full access to any account on the WordPress platform, including administrator accounts, leading to complete takeover of the website — violation of confidentiality, integrity, and data availability.
The RegistrationMagic plugin must be immediately updated to a version higher than 6.0.2.6, which fixes the password reset token validation (fix available in the WordPress repository under changeset 3181174). If an immediate update is not possible, it is recommended to temporarily disable the plugin until the patch is deployed.
RegistrationMagic – User Registration Plugin with Custom Registration Forms for WordPress, all versions up to and including 6.0.2.6 (Metagauss RegistrationMagic).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMetagauss Registrationmagic
APPMetagauss< 6.0.2.7
Related vulnerabilities
PHP Object Injection w pluginie RegistrationMagic dla WordPress
The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and inclu...
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, ...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagaus...
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submi...