CVE-2017-20208 — Deserialization of Untrusted Data in Registrationmagic

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 32.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Metagauss Registrationmagic

Timeline

PublishedOct 18

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDmetagauss/registrationmagic< 3.7.9.3

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

RegistrationMagic - Custom Registration Forms <= 3.7.9.2 - PHP Object Injection↗2025-10-18

▶

GHSA

GHSA-5g96-pc88-j7fx: The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injecti↗2025-10-18

▶

VulnCheck

metagauss registrationmagic Deserialization of Untrusted Data↗2017

▶