cbcvebase.
CVE-2021-24862
published 2022-01-10

CVE-2021-24862: The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when…

PriorityP264high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
73.29%
99.4th percentile
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue

Affected

1 ranges
VendorProductVersion rangeFixed in
metagaussregistrationmagic< 5.0.1.65.0.1.6

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<target>:<port><wp_path>wp-admin/admin-ajax.php
commandaction=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2
path/wp-admin/admin-ajax.php
path/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2
sigma
condition: selection_1 and selection_2 and selection_3 — POST to /wp-admin/admin-ajax.php with body containing action=rm_chronos_ajax and rm_chronos_ajax_action=duplicate_tasks_batch
  • Monitor POST requests to wp-admin/admin-ajax.php with the AJAX action parameter set to 'rm_chronos_ajax' and sub-action 'duplicate_tasks_batch'; the injectable parameter is 'task_ids[]'.
  • The SQL injection is authenticated; look for authenticated WordPress sessions (valid WordPress auth cookies) combined with suspicious POST bodies to admin-ajax.php targeting rm_chronos_ajax.
  • Successful exploitation may result in HTTP 200 response containing 'rm_user_role_mananger_form' in the body; use this as a detection signal for confirmed exploitation.
  • Inspect the 'task_ids[]' POST parameter for SQL metacharacters or UNION/SELECT payloads indicative of SQLi attempts against the RegistrationMagic plugin.
  • ·Exploitation requires valid WordPress authentication credentials; unauthenticated exploitation is not possible for this CVE.
  • ·The vulnerability affects RegistrationMagic plugin versions up to and including 5.0.1.5; version 5.0.1.6 and later are patched.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.