CVE-2024-1991 - Vulnerability Details - OpenCVE

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metagauss	Registrationmagic

Configuration 1 [-]

cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205
https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24
https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve

History

Fri, 31 Jan 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Metagauss Metagauss registrationmagic
Weaknesses		CWE-862
CPEs		cpe:2.3:a:metagauss:registrationmagic::::::wordpress::*
Vendors & Products		Metagauss Metagauss registrationmagic

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-04-09T18:58:59.144Z

Updated: 2024-08-09T18:51:57.594Z

Reserved: 2024-02-28T20:27:38.281Z

Link: CVE-2024-1991

Vulnrichment

Updated: 2024-08-01T18:56:22.558Z

NVD

Status : Analyzed

Published: 2024-04-09T19:15:21.883

Modified: 2025-01-31T01:32:27.643

Link: CVE-2024-1991

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1991", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-28T20:27:38.281Z", "datePublished": "2024-04-09T18:58:59.144Z", "dateUpdated": "2024-08-09T18:51:57.594Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-04-09T18:58:59.144Z"}, "affected": [{"vendor": "metagauss", "product": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205"}, {"url": "https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "timeline": [{"time": "2024-03-14T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.558Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "metagauss", "product": "registrationmagic", "cpes": ["cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.0.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-11T17:42:59.026343Z", "id": "CVE-2024-1991", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:51:57.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.558Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1991", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-11T17:42:59.026343Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*"], "vendor": "metagauss", "product": "registrationmagic", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.3.0.0"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:51:52.307Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Krzysztof Zaj\u0105c"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "metagauss", "product": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-14T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205"}, {"url": "https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24"}], "descriptions": [{"lang": "en", "value": "The RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-04-09T18:58:59.144Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1991", "state": "PUBLISHED", "dateUpdated": "2024-08-09T18:51:57.594Z", "dateReserved": "2024-02-28T20:27:38.281Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-04-09T18:58:59.144Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5431F904-0597-4627-BD50-8286354EE517", "versionEndExcluding": "5.3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator"}, {"lang": "es", "value": "El complemento RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login para WordPress es vulnerable a una escalada de privilegios debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n update_users_role() en todas las versiones hasta la 5.3.0.0 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, escale sus privilegios al de administrador."}], "id": "CVE-2024-1991", "lastModified": "2025-01-31T01:32:27.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-04-09T19:15:21.883", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk//services/class_rm_user_services.php#L1205"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3049490/custom-registration-form-builder-with-submission-manager#file24"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/766e3966-157a-4db3-9179-813032343f76?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}