Critical severity9.8NVD Advisory· Published Nov 9, 2024· Updated Jun 17, 2026
CVE-2024-10508
CVE-2024-10508
Description
The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <=6.0.2.6
- metagauss/RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Loginv5Range: 0
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/changeset/3181174/custom-registration-form-builder-with-submission-manager/trunk/public/controllers/class_rm_login_controller.phpnvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/c4679fa7-be6b-4f50-8cdf-ff9822794f19nvdThird Party Advisory
- plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.2.6/public/controllers/class_rm_login_controller.phpnvdProduct
- plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.2.6/public/controllers/class_rm_login_controller.phpnvdProduct
News mentions
0No linked articles in our index yet.