RegistrationMagic < 5.2.5.1 – IP Spoofing | CVE 2023-51543 | Plugin Vulnerabilities

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.5.0 due to use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to submit more form entries than the form submission limit allows.

Affects Plugins

custom-registration-form-builder-with-submission-manager

Fixed in 5.2.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4b37b57c-4a11-4971-b38f-12c70d71b76b

Classification

Type

SPOOFING

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Brandon James Roldan (tomorrowisnew)

Verified

No

WPVDB ID

05617a1a-728d-4a1b-93bf-6e8c14de7ba9

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-04 (about 2 years ago)

Last Updated

2024-01-04 (about 2 years ago)

Other

Published

Title

Published

2025-10-24

Title

Password Protected < 2.7.12 - Unauthenticated Authorization Bypass via IP Address Spoofing

Published

2023-11-27

Title

Antispam Bee < 2.11.4 - IP Address Spoofing via get_client_ip

Published

2023-12-05

Title

WP Photo Album Plus < 8.6.01.005 - IP Spoofing

Published

2024-09-04

Title

Security, Antivirus, Firewall – S.A.F <= 2.3.5 - IP Address Spoofing to Protection Mechanism Bypass

Published

2025-10-09

Title

All In One Login 2.0.8 - IP Sooofing to Protection Mechanism Bypass