Description
WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction is prone to multiple vulnerabilities, including cross-site scripting and SQL injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, to compromise the application, access or modify data or to exploit vulnerabilities in the underlying database. WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction version 2.0.18 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.0.19 or latest
References
http://seclists.org/bugtraq/2015/Oct/64
http://seclists.org/bugtraq/2015/Oct/63
https://packetstormsecurity.com/files/133929/WordPress-Pie-Register-2.0.18-SQL-Injection.html
https://packetstormsecurity.com/files/133928/WordPress-Pie-Register-2.0.18-Cross-Site-Scripting.html
Related Vulnerabilities
PHP Improper Input Validation Vulnerability (CVE-2012-0788)
Zenphoto Other Vulnerability (CVE-2006-2186)
WordPress Plugin Swim Team Arbitrary File Download (1.44.1077)
WordPress Plugin Advanced Access Manager Security Bypass (3.2.1)
WordPress Plugin GiveWP-Donation and Fundraising Platform Multiple Vulnerabilities (2.20.2)