CVE-2021-4073
published 2021-12-14CVE-2021-4073: The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid…
PriorityP179high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.00%
93.4th percentile
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metagauss | registrationmagic | <= 5.0.1.7 | — |
| registrationmagic | registrationmagic | 5.0.1.7 – 5.0.1.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
status_code == 200
bytes
490a004630440220381faa42bd444ebb07003f528c53b48d77cfa4da453deb38ac9f99d3c600aa900220153ceae269a166afa294b7ea07a83beb0a11b5563f8699022293634bb6d33841:922c64590222798bb761d5b6d8e72950
- →Target the social_login_using_email() function in the RegistrationMagic plugin for missing identity/authentication validation — unauthenticated requests to this function that result in HTTP 200 may indicate exploitation. ↗
- →Monitor for requests referencing 'RegistrationMagic Profile' in the WordPress admin bar (wp-admin-bar-root-default), which may indicate a successful authentication bypass and session establishment.
- →Flag RegistrationMagic plugin versions equal to or less than 5.0.1.7 as vulnerable targets for this authentication bypass. ↗
- ·Exploitation requires the attacker to know a valid username on the target WordPress site; without a valid username, the social login bypass cannot be triggered. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3858-cvv4-qvj7: The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a
ghsa_unreviewed·2021-12-15
CVE-2021-4073 [CRITICAL] CWE-287 GHSA-3858-cvv4-qvj7: The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.
VulnCheck
metagauss registrationmagic Improper Authentication
vulncheck·2021·CVSS 9.8
CVE-2021-4073 [CRITICAL] metagauss registrationmagic Improper Authentication
metagauss registrationmagic Improper Authentication
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.
Affected: metagauss registrationmagic
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2021-4073
No detection rules found.
Nuclei
RegistrationMagic <= 5.0.1.7 - Authentication Bypass
nuclei·CVSS 8.1
CVE-2021-4073 [HIGH] RegistrationMagic <= 5.0.1.7 - Authentication Bypass
RegistrationMagic Profile', 'wp-admin-bar-root-default')"
- 'status_code == 200'
condition: and
# digest: 490a004630440220381faa42bd444ebb07003f528c53b48d77cfa4da453deb38ac9f99d3c600aa900220153ceae269a166afa294b7ea07a83beb0a11b5563f8699022293634bb6d33841:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_user_services.phphttps://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_user_services.phphttps://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073
2021-12-14
Published
Exploited in the wild