WordPress Plugin Vulnerabilities

RegistrationMagic < 5.2.1.1 - Unauthenticated Authentication Bypass

Description

The plugin does not properly validate authentication via the Google Social login, allowing unauthenticated users to log as arbitrary users by knowing their email address

Affects Plugins

Plugin icon
custom-registration-form-builder-with-submission-manager
Fixed in 5.2.1.1

References

CVE
CVE-2023-2499

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
f3816a4f-3cfc-45f6-8006-d945c909a6c5

Timeline

Publicly Published
2023-05-15 (about 2 years ago)
Added
2023-05-16 (about 2 years ago)
Last Updated
2023-05-16 (about 2 years ago)

Other

Published
Title
Published
2023-04-11
Title
Web Stories < 1.32 - Author+ Auth Bypass
Published
2025-03-06
Title
WPCOM Member < 1.7.6 - Authentication Bypass via 'user_phone'
Published
2024-11-05
Title
Heateor Social Login WordPress < 1.1.36 - Authentication Bypass
Published
2024-11-05
Title
Social Share, Social Login and Social Comments Plugin – Super Socializer < 7.14 - Authentication Bypass
Published
2016-06-24
Title
Welcart e-Commerce < 1.8.3 - Session Management