cbcvebase.
CVE-2021-24647
published 2021-11-08

CVE-2021-24647: The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in…

PriorityP179high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
8.38%
94.3th percentile
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username

Affected

1 ranges
VendorProductVersion rangeFixed in
genetechsolutionspie_register< 3.7.1.63.7.1.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/pie-register/readme.txt
path/wp-content/plugins/pie-register/readme.txt
commandPOST /login/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded social_site=true&user_id_social_site=1&wp-submit=Log+In&testcookie=1
othersocial_site=true&user_id_social_site=1
  • Detect exploitation attempts by monitoring POST requests to /login/ containing the parameters 'social_site=true' and 'user_id_social_site=' — these are the key exploit parameters for unauthenticated arbitrary login.
  • Fingerprint vulnerable installations by checking for the presence of 'pieregister' string in /wp-content/plugins/pie-register/readme.txt — used as a version/presence check in the exploit template.
  • Confirm successful exploitation by checking if the response to /wp-admin/profile.php returns HTTP 200 and contains both 'Username' and 'email-description' — indicating the attacker is now authenticated.
  • Reconnaissance step: unauthenticated GET to /wp-content/plugins/pie-register/readme.txt is used to confirm plugin presence before launching the exploit.
  • ·The exploit targets user_id_social_site=1 (typically the WordPress admin account). Attackers only need to know a valid user ID or username — no password is required.
  • ·The vulnerability exists in the social login implementation of the plugin. The flaw is present in versions before 3.1.7.6 (NVD) / 3.7.1.6 (WPScan/template) — note the version discrepancy between sources.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.