Vulnerability Description
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metagauss | Registrationmagic | <= 5.0.1.7 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-buPatchThird Party Advisory
- https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patchExploitThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073Third Party Advisory
- https://plugins.trac.wordpress.org/changeset/2635173/custom-registration-form-buPatchThird Party Advisory
- https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patchExploitThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073Third Party Advisory
FAQ
What is CVE-2021-4073?
CVE-2021-4073 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identit...
How severe is CVE-2021-4073?
CVE-2021-4073 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-4073?
Check the references section above for vendor advisories and patch information. Affected products include: Metagauss Registrationmagic.