CVE-2021-4073 – CVE-2021-4073 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2021-4073?

CVE-2021-4073 has a CVSS score of 9.8 (CRITICAL). CVE-2021-4073 is an authentication bypass vulnerability in the RegistrationMagic WordPress plugin that allows unauthenticated attackers to log in as any user (including administrators) by knowing a valid username. This affects WordPress sites using RegistrationMagic plugin versions 5.0.1.7 and earlier. The vulnerability stems from missing identity validation in the social login function.

📋 TL;DR

CVE-2021-4073 is an authentication bypass vulnerability in the RegistrationMagic WordPress plugin that allows unauthenticated attackers to log in as any user (including administrators) by knowing a valid username. This affects WordPress sites using RegistrationMagic plugin versions 5.0.1.7 and earlier. The vulnerability stems from missing identity validation in the social login function.

💻 Affected Systems

Products:

RegistrationMagic (Custom Registration Form Builder with Submission Manager) WordPress plugin

Versions: Versions ≤ 5.0.1.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active. Social login feature must be enabled, but the vulnerability exists in the underlying code regardless of configuration.

📦 What is this software?

Registrationmagic by Metagauss

View all CVEs affecting Registrationmagic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover: attackers gain administrative access, can install backdoors, steal data, deface websites, or use the site for further attacks.

🟠

Likely Case

Unauthorized access to user accounts leading to data theft, privilege escalation, and potential administrative compromise.

🟢

If Mitigated

Limited impact with proper network segmentation, but still exposes user data and could lead to lateral movement.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the exploit requires no authentication.

🏢 Internal Only: MEDIUM - Lower risk if not internet-facing, but still vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward: attackers only need to know a valid username and can bypass authentication via the social login function. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.1.8

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_user_services.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'RegistrationMagic' and update to version 5.0.1.8 or later. 4. Alternatively, download the latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable RegistrationMagic Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate custom-registration-form-builder-with-submission-manager

Restrict Access to WordPress Admin

all

Limit access to WordPress admin interface using IP whitelisting or web application firewall rules.

🧯 If You Can't Patch

Remove the RegistrationMagic plugin completely if not essential
Implement strong network segmentation and monitor for unauthorized login attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for RegistrationMagic version. If version is 5.0.1.7 or lower, you are vulnerable.

Check Version:

wp plugin get custom-registration-form-builder-with-submission-manager --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 5.0.1.8 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from same IP
Successful logins for multiple users from same IP in short timeframe
Unusual user agent strings in authentication logs

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=rm_social_login
Unusual spikes in authentication traffic

SIEM Query:

source="wordpress.log" AND ("rm_social_login" OR "RegistrationMagic") AND status=200

📊 Metadata

CVE ID: CVE-2021-4073

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: December 14, 2021

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_user_services.php Patch,Third Party Advisory
https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/ Exploit,Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073 Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_user_services.php Patch,Third Party Advisory
https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/ Exploit,Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4073, you might also want to check these: