CVE-2017-20208

CVE-2017-20208 is a PHP Object Injection vulnerability (CWE-502) affecting the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress in all versions up to, but excluding, 3.7.9.3. The issue arises from deserialization of untrusted input in the is_expired_by_date() function, enabling attackers to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying malicious input, they can trigger PHP Object Injection, and the presence of a Proof-of-Concept (POP) chain allows them to fetch a remote file and install it on the targeted site, potentially leading to remote code execution, such as deploying a webshell.

Advisories from Wordfence highlight the availability of a patch in the WordPress plugin trac at changeset 1733274, which addresses the deserialization issue. Security practitioners should urge site administrators to update the RegistrationMagic plugin to version 3.7.9.3 or later to mitigate the vulnerability, as detailed in the referenced threat intelligence and blog posts.

This vulnerability was among three zero-day plugin flaws exploited in the wild, as reported by Wordfence in 2017, underscoring its real-world impact prior to formal CVE assignment.