Vulnerability CVE-2021-4073

Vulnerability CVE-2021-4073

Published: 2021-12-14

Description:

The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.

Type:

CWE-287

(Improper Authentication)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.8/10	6.4/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Registrationmagic -> Registrationmagic

References:

https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073

https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_user_services.php

Vulnerability CVE-2021-4073

CWE-287

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

6.8/10

6.4/10

8.6/10

Remote

Medium

No required

Partial

Partial

Partial

Affected software

References: