RegistrationMagic WordPress Plugin Sensitive Data Disclosure Vulnerability

A vulnerability in the RegistrationMagic WordPress plugin, affecting versions prior to 6.0.7.2, allows for the unauthorized disclosure of sensitive data to users with subscriber roles and above. The issue arises because the plugin properly verifies nonces but fails to check user capabilities, creating a loophole for data exposure.

Impact

Exploitation of this vulnerability leads to the unauthorized exposure of sensitive user data, including revenue, submissions, and sent email details, to subscribers and higher roles.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the action 'rm_sort_form_fields' and the 'rm_slug' parameter set to 'rm_user_manage'. This request should include a valid nonce. The response will contain the 'rm_sec_nonce' needed for the next request. Then, send another POST request to 'wp-admin/admin-ajax.php' with the action 'rm_user_additional_details', the 'rm_slug' parameter set to 'rm_user_additional_details', and the 'rm_sec_nonce' parameter set to the nonce obtained from the first response. Include user IDs in the request. The response will reveal sensitive data such as revenue, submissions, and sent email counts.

Remediation

Users are advised to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or later.