cbcvebase.
CVE-2021-4073
published 2021-12-14

CVE-2021-4073: The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid…

PriorityP179high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.00%
93.4th percentile
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.

Affected

2 ranges
VendorProductVersion rangeFixed in
metagaussregistrationmagic<= 5.0.1.7
registrationmagicregistrationmagic5.0.1.7 – 5.0.1.7

Detection & IOCsextracted from sources · hover to see the quote

sigma
status_code == 200
bytes
490a004630440220381faa42bd444ebb07003f528c53b48d77cfa4da453deb38ac9f99d3c600aa900220153ceae269a166afa294b7ea07a83beb0a11b5563f8699022293634bb6d33841:922c64590222798bb761d5b6d8e72950
  • Target the social_login_using_email() function in the RegistrationMagic plugin for missing identity/authentication validation — unauthenticated requests to this function that result in HTTP 200 may indicate exploitation.
  • Monitor for requests referencing 'RegistrationMagic Profile' in the WordPress admin bar (wp-admin-bar-root-default), which may indicate a successful authentication bypass and session establishment.
  • Flag RegistrationMagic plugin versions equal to or less than 5.0.1.7 as vulnerable targets for this authentication bypass.
  • ·Exploitation requires the attacker to know a valid username on the target WordPress site; without a valid username, the social login bypass cannot be triggered.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.