[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flTVJ5-LDw95ewFEfLjM4b59FnDywa7lufOwQGuD3e0c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-24373","registrationmagic-custom-registration-forms-user-registration-payment-and-user-login-authentication-bypass","RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login \u003C= 6.0.7.1 - Authentication Bypass","The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 6.0.7.1. This makes it possible for unauthenticated attackers to bypass authentication.","custom-registration-form-builder-with-submission-manager",null,"\u003C=6.0.7.1","6.0.7.2","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Authentication","2026-03-12 00:00:00","2026-03-19 15:55:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd590e730-ad5f-4046-b897-c3b8aed250b3?source=api-prod",8,[22,23,24,25,26,27,28,29],"admin\u002Fclass_rm_admin.php","admin\u002Fcontrollers\u002Fclass_rm_form_controller.php","admin\u002Fcontrollers\u002Fclass_rm_options_controller.php","admin\u002Fcontrollers\u002Fclass_rm_user_controller.php","admin\u002Fviews\u002Ftemplate_rm_login_sett_manage.php","admin\u002Fviews\u002Ftemplate_rm_user_manager.php","includes\u002Fclass_registration_magic.php","includes\u002Fclass_rm_activator.php","researched",false,3,"This research plan targets an **Authentication Bypass** vulnerability in RegistrationMagic (up to version 6.0.7.1). The vulnerability lies in the improper verification of identity during the social login process, allowing an unauthenticated attacker to log in as any user (including an administrator) by simply providing their email address.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Improper Authentication (Authentication Bypass)\n*   **Location:** `RM_Login_Controller::social_cb()` (Inferred from the plugin's MVC structure and standard social login callback patterns).\n*   **Root Cause:** The social login callback logic handles requests from external providers (Google, Facebook, etc.). In the vulnerable version, the plugin identifies the user by the `email` parameter provided in the request but fails to verify a valid OAuth token or \"state\" parameter from the provider.\n*   **Impact:** Unauthenticated attackers can impersonate any user, typically the site administrator, gaining full control over the WordPress instance.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `rm_login_social_cb` (mapped via the `rm_slug` parameter or directly as an AJAX action).\n*   **Required Parameter:** `email` (The email of the target user) and `type` (e.g., `google`, `facebook`).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The attacker must know the email address of an administrator.\n\n### 3. Code Flow\n1.  **Entry Point:** The request hits `admin-ajax.php` with `action=rm_login_social_cb`.\n2.  **Routing:** `Registration_Magic::define_public_hooks()` registers the AJAX action to the main controller's `run()` method:\n    `$this->loader->add_action('wp_ajax_nopriv_rm_login_social_cb', $this->controller, 'run');`\n3.  **Controller Execution:** `RM_Main_Controller::run()` (in `includes\u002Fclass_registration_magic.php`) uses `RM_Request` to extract the `rm_slug` (which defaults to the action name).\n4.  **Action Logic:** The request is routed to `RM_Login_Controller`. The `social_cb` (or similarly named) method is invoked.\n5.  **Bypass:** The logic checks if a `type` and `email` are provided. It then calls `get_user_by('email', $request->req['email'])`.\n6.  **Authentication Sink:** If a user is found, the plugin calls `wp_set_auth_cookie($user->ID)` and `wp_set_current_user($user->ID)` without checking for a valid secret\u002Ftoken from the social provider.\n\n### 4. Nonce Acquisition Strategy\nSocial login callbacks are designed to be reached by external services and typically **do not require a WordPress nonce**.\n*   The `wp_ajax_nopriv_rm_login_social_cb` hook is intended for unauthenticated access.\n*   If the plugin attempted to verify a nonce, the external provider would fail to provide it, breaking the feature. Therefore, this endpoint is expected to be nonce-free.\n*   **Verification:** If the exploit fails with a `403` or `-1`, check for nonce requirements in the `RM_Login_Controller`.\n\n### 5. Exploitation Strategy\nThe goal is to log in as the administrator.\n\n**Step 1: Identify Administrator Email**\nUse the WordPress REST API to find the administrator's email.\n*   **Request:** `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers`\n*   **Tool:** `http_request`\n*   **Expected Result:** Look for the user with `\"slug\": \"admin\"` or ID `1` and note their email.\n\n**Step 2: Trigger Authentication Bypass**\nSend a crafted request to the social login callback endpoint.\n*   **Request Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=rm_login_social_cb&type=facebook&email=[ADMIN_EMAIL]\n    ```\n*   **Alternative Body (if using rm_slug routing):**\n    ```\n    action=rm_run_action&rm_slug=rm_login_social_cb&type=facebook&email=[ADMIN_EMAIL]\n    ```\n\n**Step 3: Capture Cookies**\nThe server should respond with `Set-Cookie` headers containing `wordpress_logged_in_[hash]` and `wordpress_[hash]`.\n\n### 6. Test Data Setup\n1.  **WordPress User:** Ensure a user with the `administrator` role exists (default is `admin` with email `admin@example.com`).\n2.  **Plugin State:** RegistrationMagic must be active. No specific form configuration is required as the social login callback logic is globally active in the affected versions.\n\n###","gemini-3-flash-preview","2026-04-18 03:58:24","2026-04-18 03:59:17",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.0.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]