WordPress Plugin Vulnerabilities

RegistrationMagic - Custom Registration Forms < 3.8.0.9 - Authenticated SQL Injection

Description

The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by a Custom Registration Forms <= 3.8.0.4 - Authenticated SQL Injection security vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
custom-registration-form-builder-with-submission-manager
Fixed in 3.8.0.9

References

URL
https://rastating.github.io/registrationmagic-custom-registration-forms-3-7-9-2-authenticated-sql-injection
URL
https://github.com/rastating/wordpress-exploit-framework/blob/master/lib/wpxf/modules/auxiliary/hash_dump/registrationmagic_hash_dump.rb

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Submitter
rastating
Submitter website
https://www.rastating.com/
Submitter twitter
iamrastating
Verified
No
WPVDB ID
5f6420cc-5257-48bb-9ad8-f363d72b0bb0

Timeline

Publicly Published
2017-12-10 (about 8 years ago)
Added
2017-12-11 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2014-08-01
Title
yolink Search <= 1.1.4 - includes/bulkcrawl.php Multiple Parameter SQL Injection
Published
2025-02-18
Title
Small Package Quotes – For Customers of FedEx < 4.3.2 - Unauthenticated SQL Injection
Published
2015-07-09
Title
WP Statistics <= 9.4 - Authenticated SQL Injection
Published
2022-03-21
Title
Advanced Booking Calendar < 1.7.1 - Admin+ SQLi
Published
2021-11-29
Title
Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection