CVE-2024-1990
📋 TL;DR
This vulnerability allows authenticated attackers with contributor-level access or higher to perform blind SQL injection attacks via the 'id' parameter in the RegistrationMagic WordPress plugin. Attackers can extract sensitive information from the database by injecting malicious SQL queries. All WordPress sites using vulnerable versions of the RegistrationMagic plugin are affected.
💻 Affected Systems
- RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, payment information, personal data, and potential privilege escalation to administrative access.
Likely Case
Extraction of sensitive user data including email addresses, registration details, and potentially hashed passwords from the WordPress database.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful injection.
🎯 Exploit Status
SQL injection via the 'id' parameter in RM_Form shortcode requires authenticated access but is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.3.1.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3057216/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find RegistrationMagic plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the RM_Form shortcode from posts/pages to prevent exploitation.
Search for [RM_Form] in posts/pages and remove or replace with alternative
Restrict contributor access
allTemporarily restrict contributor-level user creation or limit their permissions.
Use WordPress role management plugins to adjust permissions
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the 'id' parameter
- Monitor and audit contributor-level user activities for suspicious database queries
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → RegistrationMagic → Version number. If version is 5.3.1.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=*registration* --field=versionVerify Fix Applied:
After updating, verify version is higher than 5.3.1.0 and test RM_Form shortcode functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from contributor-level users
- Multiple failed SQL queries with injection patterns
- High volume of requests to pages containing RM_Form shortcode
Network Indicators:
- SQL error messages in HTTP responses
- Unusual parameter patterns in POST/GET requests to WordPress pages
SIEM Query:
source="wordpress.log" AND ("RM_Form" OR "id parameter") AND (sql OR injection OR union OR select)🔗 References
- https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php
- https://plugins.trac.wordpress.org/changeset/3057216/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6478cdbc-a20e-4fe2-bbd6-8a550e5da895?source=cve
- https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php
- https://plugins.trac.wordpress.org/changeset/3057216/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6478cdbc-a20e-4fe2-bbd6-8a550e5da895?source=cve
