CVE-2024-10508 Overview
The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress contains a critical privilege escalation vulnerability in all versions up to, and including, 6.0.2.6. This vulnerability arises from improper validation of password reset tokens prior to updating a user's password. Unauthenticated attackers can exploit this flaw to reset the password of arbitrary users, including administrators, and gain unauthorized access to these accounts.
Critical Impact
Unauthenticated attackers can take over any WordPress user account, including administrators, by exploiting improper password reset token validation.
Affected Products
- Metagauss RegistrationMagic plugin for WordPress versions up to and including 6.0.2.6
- WordPress sites using the RegistrationMagic custom registration forms plugin
- All installations with user registration functionality enabled
Discovery Timeline
- 2024-11-09 - CVE-2024-10508 published to NVD
- 2025-01-29 - Last updated in NVD database
Technical Details for CVE-2024-10508
Vulnerability Analysis
This vulnerability represents an authentication bypass through improper handling of password reset functionality. The flaw exists within the class_rm_login_controller.php file, specifically in the password reset mechanism implemented by the plugin. When a user initiates a password reset, the plugin fails to properly validate the reset token before allowing the password change operation to complete.
The weakness is classified under CWE-230 (Improper Handling of Missing Values), indicating that the plugin does not adequately verify the presence and validity of security tokens during the password reset process. This allows attackers to bypass the intended authentication flow entirely.
Root Cause
The root cause lies in the login controller's password reset logic at lines 239-241 of class_rm_login_controller.php. The plugin does not properly validate that the password reset token:
- Actually exists and matches a valid pending reset request
- Has not expired
- Belongs to the user account being targeted
This missing validation creates a direct path for attackers to reset any user's password without proper authorization checks.
Attack Vector
The attack leverages the network-accessible password reset functionality exposed by the WordPress plugin. An unauthenticated attacker can exploit this vulnerability by:
- Identifying a target WordPress site running a vulnerable version of RegistrationMagic
- Initiating a password reset request for a target account (administrator preferred)
- Bypassing or manipulating the token validation mechanism due to improper verification
- Successfully resetting the target user's password to attacker-controlled credentials
- Logging in as the compromised user with full account privileges
The vulnerability requires no user interaction and can be exploited remotely with low complexity. The password reset endpoint processes requests without adequately verifying the legitimacy of the reset token, enabling complete account takeover.
Detection Methods for CVE-2024-10508
Indicators of Compromise
- Unusual password reset requests in WordPress logs, especially for administrator accounts
- Multiple password reset attempts for different users from the same IP address
- Successful logins to administrator accounts from unrecognized IP addresses or locations
- Changes to WordPress site configuration or new user accounts created unexpectedly
Detection Strategies
- Monitor WordPress authentication logs for anomalous password reset activity patterns
- Implement Web Application Firewall (WAF) rules to detect and block suspicious requests to the password reset endpoint
- Configure alerts for any administrator account password changes
- Review RegistrationMagic plugin logs for unusual reset token processing activity
Monitoring Recommendations
- Enable detailed logging for all authentication-related events in WordPress
- Set up real-time alerting for administrator-level account modifications
- Monitor HTTP request patterns to class_rm_login_controller.php endpoints
- Implement login attempt monitoring to detect post-exploitation access
How to Mitigate CVE-2024-10508
Immediate Actions Required
- Update RegistrationMagic plugin to version 6.0.2.7 or later immediately
- Audit all administrator and privileged user accounts for unauthorized access
- Force password resets for all users as a precautionary measure
- Review WordPress audit logs for signs of compromise during the vulnerable period
- Temporarily disable the plugin if immediate patching is not possible
Patch Information
Metagauss has released a security patch addressing this vulnerability. The fix is available in the WordPress Plugin Change Set which implements proper token validation in the password reset process. WordPress administrators should update to version 6.0.2.7 or later through the standard WordPress plugin update mechanism.
For additional details, refer to the Wordfence Vulnerability Report.
Workarounds
- Disable the RegistrationMagic plugin entirely until patching is complete
- Implement additional authentication layers such as two-factor authentication (2FA) for all administrator accounts
- Use a Web Application Firewall to restrict access to password reset functionality
- Limit administrator login access to known IP addresses if possible
# Disable RegistrationMagic plugin via WP-CLI until patched
wp plugin deactivate custom-registration-form-builder-with-submission-manager
# Force password reset for all users after patching
wp user reset-password $(wp user list --field=ID)
# Verify plugin version after update
wp plugin get custom-registration-form-builder-with-submission-manager --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
