CVE-2023-50846: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in the RegistrationMagic WordPress plugin (CVE-2023-50846), affecting versions up to and including 5.2.4.5. The vulnerability exists in the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries (Patchstack Advisory, WPScan).

The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS v3.1 base score of 7.2 (HIGH) according to NIST, and 7.6 (HIGH) according to Patchstack. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged according to NIST's assessment, with high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated attackers with administrator access to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. This could lead to unauthorized access to database contents and potential manipulation of stored data (WPScan).

The vulnerability has been patched in version 5.2.4.6 of the RegistrationMagic plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack Advisory).