$1,313 Bounty Awarded for Privilege Escalation Vulnerability Patched in RegistrationMagic WordPress Plugin


🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!


On February 26th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a Privilege Escalation vulnerability in RegistrationMagic, a WordPress plugin with more than 10,000+ active installations. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating the user role.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,313.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. This demonstrates that we are not only committed to investing in making the WordPress ecosystem more secure, but also the entire web.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 28, 2024. Sites using the free version of Wordfence will receive the same protection on March 29, 2024.

We contacted Metagauss on February 29, 2024, and received a response on March 4, 2024. After providing full disclosure details, the developer released a patch on March 11, 2024. We would like to commend Metagauss for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of RegistrationMagic, which is version 5.3.1.0, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 5.3.0.0 – Authenticated (Subscriber+) Privilege Escalation
Affected Plugin: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 5.3.0.0
CVE ID: CVE-2024-1991
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Krzysztof Zając
Fully Patched Version: 5.3.1.0
Bounty Award: $1,313.00

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator

Technical Analysis

RegistrationMagic is a WordPress user registration plugin, which includes many features, such as custom registration form, user management, statistical analysis and many more.

Examining the code reveals that the plugin uses the update_users_role() function in the RM_User_Services class to update the user role. Unfortunately, this function was implemented insecurely, allowing all authenticated users to modify the user role, including granting themselves the administrator role.

public function update_users_role(){
    if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {
        $role = isset($_POST['role']) ? strtolower(sanitize_text_field($_POST['role'])) : '';
        if(!empty($role)){

            $user_ids = isset($_POST['user_ids']) && !empty($_POST['user_ids']) ? $_POST['user_ids'] : array();
            if(!empty($user_ids)){
                foreach($user_ids as $user_id){
                    $user = new WP_User( $user_id );
                    $user->set_role($role);
                }
            }
        }
    }
    wp_send_json_success(true);
    die;
}

The function includes a nonce check, but it uses a general nonce that is available on every page where the plugin’s forms are used.

The most significant problem and vulnerability is caused by the fact that there are no capability checks in the AJAX function. This made it possible for authenticated users, such as subscribers, to set their own user role to administrator.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

February 26, 2024 – We receive the submission of the Privilege Escalation vulnerability in RegistrationMagic via the Wordfence Bug Bounty Program.
February 28, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 28, 2024Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
February 29, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 4, 2024 – The vendor confirms the inbox for handling the discussion.
March 5, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
March 11, 2024 – The fully patched version of the plugin, 5.3.1.0, is released.
March 29, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the RegistrationMagic plugin affecting versions 5.3.0.0 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 5.3.1.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of RegistrationMagic.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of February 28, 2024. Users using the free version of Wordfence will receive the same protection on March 29, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

Comments

No Comments