CVE-2017-20208 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2017-20208?

CVE-2017-20208 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites using vulnerable versions of the RegistrationMagic plugin. Attackers can inject malicious PHP objects through deserialization, potentially leading to remote file inclusion and complete site compromise. All WordPress sites using RegistrationMagic plugin versions below 3.7.9.3 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites using vulnerable versions of the RegistrationMagic plugin. Attackers can inject malicious PHP objects through deserialization, potentially leading to remote file inclusion and complete site compromise. All WordPress sites using RegistrationMagic plugin versions below 3.7.9.3 are affected.

💻 Affected Systems

Products:

RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress

Versions: All versions up to 3.7.9.3 (exclusive)

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with RegistrationMagic plugin. No special configuration needed for exploitation.

📦 What is this software?

Registrationmagic by Metagauss

View all CVEs affecting Registrationmagic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover, data theft, malware installation, and server compromise leading to lateral movement within the hosting environment.

🟠

Likely Case

Remote code execution leading to website defacement, backdoor installation, credential theft, and data exfiltration.

🟢

If Mitigated

Limited impact if proper web application firewalls and input validation are in place, though exploitation may still succeed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploited in the wild as a zero-day. Attack requires no authentication and minimal technical skill due to available exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.9.3 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/1733274/custom-registration-form-builder-with-submission-manager

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find RegistrationMagic plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 3.7.9.3+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable RegistrationMagic Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate custom-registration-form-builder-with-submission-manager

Web Application Firewall Rule

all

Block requests containing serialized PHP object patterns

# Add WAF rule to block requests with 'O:' followed by numbers (PHP serialized objects)

🧯 If You Can't Patch

Immediately disable or remove the RegistrationMagic plugin from all WordPress installations
Implement strict input validation and sanitization for all user-supplied data in the is_expired_by_date() function

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → RegistrationMagic version. If version is below 3.7.9.3, system is vulnerable.

Check Version:

wp plugin get custom-registration-form-builder-with-submission-manager --field=version

Verify Fix Applied:

Verify RegistrationMagic plugin version is 3.7.9.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress endpoints containing serialized PHP objects
Unexpected file writes in wp-content/uploads or plugin directories
Suspicious PHP execution patterns

Network Indicators:

HTTP requests with serialized data patterns (O: followed by numbers)
Outbound connections to unknown servers from WordPress process

SIEM Query:

source="wordpress.log" AND ("O:" AND "is_expired_by_date" OR "RegistrationMagic")

📊 Metadata

CVE ID: CVE-2017-20208

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.21% exploit probability (43.2th percentile)

Published: October 18, 2025

Last Updated: December 19, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/1733274/custom-registration-form-builder-with-submission-manager Patch
https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/ Press/Media Coverage,Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b79193-f8fc-4ea2-8973-fe292cfb926b?source=cve Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-20208, you might also want to check these: