CVE-2021-24862
published 2022-01-10CVE-2021-24862: The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when…
PriorityP264high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
73.29%
99.4th percentile
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metagauss | registrationmagic | < 5.0.1.6 | 5.0.1.6 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
condition: selection_1 and selection_2 and selection_3 — POST to /wp-admin/admin-ajax.php with body containing action=rm_chronos_ajax and rm_chronos_ajax_action=duplicate_tasks_batch
- →Monitor POST requests to wp-admin/admin-ajax.php with the AJAX action parameter set to 'rm_chronos_ajax' and sub-action 'duplicate_tasks_batch'; the injectable parameter is 'task_ids[]'. ↗
- →The SQL injection is authenticated; look for authenticated WordPress sessions (valid WordPress auth cookies) combined with suspicious POST bodies to admin-ajax.php targeting rm_chronos_ajax. ↗
- →Successful exploitation may result in HTTP 200 response containing 'rm_user_role_mananger_form' in the body; use this as a detection signal for confirmed exploitation. ↗
- →Inspect the 'task_ids[]' POST parameter for SQL metacharacters or UNION/SELECT payloads indicative of SQLi attempts against the RegistrationMagic plugin. ↗
- ·Exploitation requires valid WordPress authentication credentials; unauthenticated exploitation is not possible for this CVE. ↗
- ·The vulnerability affects RegistrationMagic plugin versions up to and including 5.0.1.5; version 5.0.1.6 and later are patched. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
exploitdb·2022-01-27·CVSS 7.2
CVE-2021-24862 [HIGH] WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
---
# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
# Date 23.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://registrationmagic.com/
# Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip
# Version: <= 5.0.1.5
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24862
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md
'''
Description:
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action
before using it in a SQL statement when duplicating tasks in batche
Metasploit
Wordpress RegistrationMagic task_ids Authenticated SQLi
metasploit
Wordpress RegistrationMagic task_ids Authenticated SQLi
Wordpress RegistrationMagic task_ids Authenticated SQLi
RegistrationMagic, a WordPress plugin, prior to 5.0.1.5 is affected by an authenticated SQL injection via the task_ids parameter.
Nuclei
WordPress RegistrationMagic <5.0.1.6 - Authenticated SQL Injection
nuclei·CVSS 7.2
CVE-2021-24862 [HIGH] WordPress RegistrationMagic <5.0.1.6 - Authenticated SQL Injection
WordPress RegistrationMagic =6'
- 'status_code_2 == 200'
- 'contains(body_3, "rm_user_role_mananger_form")'
condition: and
# digest: 4a0a0047304502201a6fa3c0a48536adb4b8a8a4df04a566063f029d25c80a1b1b0be1ddea463f1c022100ccc292a6e376653cfb8af3d4d9f9b6a8b55eb665011b78acda5d7c8cf9261284:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24862https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615http://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.htmlhttps://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24862https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615
2022-01-10
Published