Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) consists of the fact that the plugin's authentication mechanism can be bypassed without providing any credentials. An attacker sending an appropriately crafted network request can gain access to functions or resources reserved exclusively for authenticated users. The attack does not require user interaction or special privileges, and can be carried out remotely over the network.
An attacker can gain unauthorized access to sensitive data, modify or destroy website resources, and potentially take full control of the site, which corresponds to high impact on the confidentiality, integrity, and availability of the system.
The RegistrationMagic plugin must be updated immediately to a version higher than 6.0.8.6. Detailed information about the available patch can be found in the vendor's references and in the Patchstack database.
WordPress plugin RegistrationMagic (custom-registration-form-builder-with-submission-manager) in versions 6.0.8.6 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H