CVE-2024-9390 – RegistrationMagic < 6.0.2.1 – Stored XSS to Admin Creation – POC

In the ever-evolving landscape of cybersecurity, vulnerabilities in WordPress plugins remain a persistent threat. One such recent discovery is CVE-2024-9390, a Stored Cross-Site Scripting (XSS) vulnerability affecting versions of the RegistrationMagic plugin prior to 6.0.2.1. This flaw allows attackers with certain privileges to inject malicious scripts, which can execute arbitrary JavaScript in the administrator’s session, potentially leading to account hijacking or further exploitation of the system.

CVE	CVE-2024-9390
Plugin	RegistrationMagic < 6.0.2.1
Critical	High
All Time	1 817 068
Active installations	10 000+
Publicly Published	March 06, 2025
Last Updated	March 06, 2025
Researcher	Artyom Krugov
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9390 https://wpscan.com/vulnerability/6a5308fb-83bf-4f6a-a7ef-e3e1b69aa80f/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

During a security assessment of the RegistrationMagic plugin, researchers identified a Stored XSS vulnerability that could be exploited by injecting a malicious payload into a specific field within the plugin’s form settings. The issue was confirmed in versions below 6.0.2.1 and reported accordingly to the developers, who have since released a patch to mitigate the risk.

Understanding of XSS attack’s

Stored XSS is a type of vulnerability where a malicious script is injected into a website and stored on the server. When unsuspecting users, such as administrators or other logged-in users, access the affected page, the script executes within their browser. In WordPress, Stored XSS vulnerabilities often arise due to improper input sanitization in plugins and themes.

Exploiting the XSS Vulnerability

To exploit CVE-2024-9390, an attacker needs to have sufficient privileges to create or modify form fields within the RegistrationMagic plugin. The following steps outline the exploitation process:

POC:

1) Navigate to the RegistrationMagic panel within WordPress.
2) Select an existing form or create a new one.
3) Click on the Fields button.
4) Click on the gear icon to access advanced settings.
5) Navigate to the Raw Properties tab.
6) Inject the malicious XSS payload into the Subheading field.
7) Save the changes.

____

Recommendations for Improved Security

To mitigate the risk of exploitation, users should take the following security measures:

1. Update to the Latest Version: Ensure that RegistrationMagic is updated to version 6.0.2.1 or later.
2. Sanitize and Validate Input: Developers should implement proper input sanitization using esc_html(), esc_attr(), and wp_kses() to prevent malicious code execution.
3. Use a Web Application Firewall (WAF): A WAF can help detect and block malicious requests before they reach the WordPress site.
4. Limit User Privileges: Assign only the necessary permissions to users, reducing the risk of unauthorized modifications.

CVE-2024-9390 highlights the critical need for continuous security auditing of WordPress plugins. Stored XSS vulnerabilities pose a severe risk, especially when they can be leveraged to compromise administrators. By promptly updating plugins, following security best practices, and maintaining a proactive security posture, website owners can safeguard their WordPress installations from such attacks.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10143, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.