CVE-2024-9390
📋 TL;DR
This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into the RegistrationMagic plugin settings, which then execute when other users view those settings. It affects WordPress multisite installations where unfiltered_html capability is restricted, and all sites using RegistrationMagic plugin versions before 6.0.2.1.
💻 Affected Systems
- RegistrationMagic WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with admin privileges could inject persistent XSS payloads that steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims when they view plugin settings pages.
Likely Case
Malicious administrator or compromised admin account injects tracking scripts or credential harvesters that affect other privileged users who manage the plugin settings.
If Mitigated
With proper user access controls and regular security updates, impact is limited to potential data leakage from users who view malicious plugin settings.
🎯 Exploit Status
Exploitation requires admin-level access but is straightforward once authenticated. Public proof-of-concept exists via WPScan.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.2.1
Vendor Advisory: https://wpscan.com/vulnerability/6a5308fb-83bf-4f6a-a7ef-e3e1b69aa80f/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find RegistrationMagic and click 'Update Now'. 4. Alternatively, download version 6.0.2.1+ from WordPress repository and manually replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable RegistrationMagic plugin until patched to prevent exploitation.
wp plugin deactivate registrationmagic
Restrict Admin Access
allTemporarily limit administrator accounts to only trusted personnel and implement multi-factor authentication.
🧯 If You Can't Patch
- Remove RegistrationMagic plugin completely if not essential
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check RegistrationMagic plugin version in WordPress admin → Plugins → Installed Plugins. If version is below 6.0.2.1, you are vulnerable.Check Version:
wp plugin get registrationmagic --field=versionVerify Fix Applied:
Confirm RegistrationMagic plugin version is 6.0.2.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual plugin setting modifications by admin users
- Multiple requests to RegistrationMagic settings pages with encoded payloads
Network Indicators:
- Outbound connections to suspicious domains from WordPress admin sessions after viewing plugin settings
SIEM Query:
source="wordpress.log" AND "registrationmagic" AND ("update_option" OR "settings saved") AND ("script" OR "javascript" OR "onload")