CVE-2024-10508Improper Handling of Missing Values in Registrationmagic

CWE-230Improper Handling of Missing Values3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
15.3%
top 5.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Metagauss Registrationmagic
Timeline
PublishedNov 9

Description

The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
RegistrationMagic – User Registration Plugin with Custom Registration Forms <= 6.0.2.6 - Unauthenticated Privilege Escalation via Password Recovery2024-11-09
GHSA
GHSA-vh3h-6j4p-c645: The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account2024-11-09
CVE-2024-10508 — Improper Handling of Missing Values | cvebase