WordPress Plugin Vulnerabilities

RegistrationMagic < 5.2.1.0 - Admin+ Arbitrary Password Update via IDOR

Description

The plugin is affected by an IDOR issue allowing high privileged users such as admin to update the password of arbitrary users in a multisite setup

Affects Plugins

Plugin icon
custom-registration-form-builder-with-submission-manager
Fixed in 5.2.1.0

References

CVE
CVE-2023-2548

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
b67aed4c-431c-4af3-913d-753b8fe207ef

Timeline

Publicly Published
2023-05-12 (about 3 years ago)
Added
2023-05-16 (about 3 years ago)
Last Updated
2023-05-16 (about 3 years ago)

Other

Published
Title
Published
2024-03-28
Title
ProfileGrid < 5.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-03-11
Title
WpStream < 4.11.2 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-03-31
Title
Radius Blocks <= 2.2.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-02-11
Title
Image Photo Gallery Final Tiles Grid < 3.6.12 - Authenticated (Author+) Insecure Direct Object Reference
Published
2026-05-27
Title
Timetable and Event Schedule by MotoPress < 2.4.17 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data Function