WordPress Plugin Vulnerabilities

RegistrationMagic < 5.2.3.1 - Missing Authorization

Description

The RegistrationMagic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_user_profile() function in versions up to, and including, 5.2.3.0. This makes it possible for unauthenticated attackers to update other user's profiles.

Affects Plugins

Plugin icon
custom-registration-form-builder-with-submission-manager
Fixed in 5.2.3.1

References

CVE
CVE-2023-49831
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d041b14-0d05-4bfe-bd5c-7e06d7b108b8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
lttn
Verified
No
WPVDB ID
c12649be-949e-4b9b-b069-93da31cb64b6

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-09 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-03-08
Title
EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Missing Authorization to Arbitrary Post Overwrite
Published
2026-01-14
Title
X Addons for Elementor <= 1.0.23 - Missing Authorization
Published
2025-04-16
Title
Slazzer Background Changer <= 3.14 - Missing Authorization
Published
2023-12-06
Title
System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_db_specs)
Published
2024-08-07
Title
Robin image optimizer < 1.7.0 - Missing Authorization