CVE-2024-29113
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into web pages generated by the RegistrationMagic WordPress plugin. When users visit a specially crafted URL, the script executes in their browser, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using RegistrationMagic versions up to 5.2.5.9 are affected.
💻 Affected Systems
- WordPress RegistrationMagic plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access to WordPress, install backdoors, deface websites, or steal sensitive user data.
Likely Case
Attackers steal user session cookies, perform actions as authenticated users, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers.
🎯 Exploit Status
Reflected XSS typically requires minimal technical skill to exploit once the vulnerability details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.6.0 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find RegistrationMagic and click 'Update Now'. 4. Verify the plugin version is 5.2.6.0 or higher.
🔧 Temporary Workarounds
Temporary plugin deactivation
allDisable the RegistrationMagic plugin until patched
wp plugin deactivate custom-registration-form-builder-with-submission-manager
Web Application Firewall (WAF) rules
allConfigure WAF to block XSS payloads targeting RegistrationMagic endpoints
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use browser security extensions that block reflected XSS attacks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for RegistrationMagic version. If version is 5.2.5.9 or lower, you are vulnerable.Check Version:
wp plugin get custom-registration-form-builder-with-submission-manager --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 5.2.6.0 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests containing script tags or JavaScript code to RegistrationMagic endpoints
- Multiple failed login attempts following suspicious URL visits
Network Indicators:
- HTTP requests with encoded script payloads in query parameters
- Outbound connections to suspicious domains after visiting RegistrationMagic pages
SIEM Query:
source="web_server" AND (uri="*registrationmagic*" AND (query="*<script>*" OR query="*javascript:*" OR query="*onload=*"))🔗 References
- https://patchstack.com/database/vulnerability/custom-registration-form-builder-with-submission-manager/wordpress-registrationmagic-plugin-5-2-5-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/custom-registration-form-builder-with-submission-manager/wordpress-registrationmagic-plugin-5-2-5-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
