CVE-2021-24862 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-24862?

CVE-2021-24862 has a CVSS score of 7.2 (HIGH). This CVE describes a SQL injection vulnerability in the RegistrationMagic WordPress plugin versions before 5.0.1.6. The vulnerability allows attackers to execute arbitrary SQL commands via the rm_chronos_ajax AJAX action when duplicating tasks in batches. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This CVE describes a SQL injection vulnerability in the RegistrationMagic WordPress plugin versions before 5.0.1.6. The vulnerability allows attackers to execute arbitrary SQL commands via the rm_chronos_ajax AJAX action when duplicating tasks in batches. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WordPress RegistrationMagic Plugin

Versions: All versions before 5.0.1.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the RegistrationMagic plugin to be installed and active. The vulnerable AJAX endpoint is accessible to users with appropriate permissions.

📦 What is this software?

Registrationmagic by Metagauss

View all CVEs affecting Registrationmagic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion, and potential privilege escalation to gain administrative access to the WordPress site.

🟠

Likely Case

Unauthorized data extraction from the WordPress database, including user credentials, personal information, or sensitive site data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability is exploitable via AJAX requests.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploits are publicly available on GitHub and Packet Storm. The vulnerability requires some level of user authentication to access the AJAX endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.1.6

Vendor Advisory: https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find RegistrationMagic and update to version 5.0.1.6 or later. 4. Alternatively, download the latest version from WordPress.org and replace the plugin files.

🔧 Temporary Workarounds

Disable RegistrationMagic Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate registrationmagic

Restrict AJAX Access

linux

Use web application firewall rules to restrict access to the vulnerable AJAX endpoint.

# Example .htaccess rule for Apache:
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php [NC]
RewriteCond %{QUERY_STRING} action=rm_chronos_ajax [NC]
RewriteRule ^ - [F]

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs in custom code.
Deploy a web application firewall (WAF) with SQL injection protection rules enabled.

🔍 How to Verify

Check if Vulnerable:

Check the RegistrationMagic plugin version in WordPress admin under Plugins → Installed Plugins. If version is below 5.0.1.6, the system is vulnerable.

Check Version:

wp plugin get registrationmagic --field=version

Verify Fix Applied:

Confirm the RegistrationMagic plugin version is 5.0.1.6 or higher in the WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by AJAX requests to rm_chronos_ajax
HTTP POST requests to /wp-admin/admin-ajax.php with SQL-like parameters

Network Indicators:

Unusual outbound database connections from web server
HTTP requests containing SQL keywords (SELECT, UNION, etc.) in parameters

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (query="*action=rm_chronos_ajax*" OR query="*SELECT*" OR query="*UNION*")

📊 Metadata

CVE ID: CVE-2021-24862

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 10, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24862 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/165746/WordPress-RegistrationMagic-V-5.0.1.5-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/Hacker5preme/Exploits/tree/main/Wordpress/CVE-2021-24862 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/7d3af3b5-5548-419d-aa32-1f7b51622615 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24862, you might also want to check these: