CVE-2017-20208
Published: 18 October 2025
Summary
CVE-2017-20208 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Metagauss Registrationmagic. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the specific PHP Object Injection flaw in the RegistrationMagic plugin via deserialization in is_expired_by_date(), as fixed in version 3.7.9.3.
Enforces validation of untrusted input prior to deserialization, directly blocking malicious PHP Object Injection payloads exploited by unauthenticated attackers.
Verifies software and information integrity to detect unauthorized changes, such as remote files fetched and installed via the POP chain leading to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote PHP Object Injection in public-facing WordPress plugin enables T1190 (Exploit Public-Facing Application); POP chain facilitates remote file fetch/install for RCE like webshell (T1100).
NVD Description
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it…
more
possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to fetch a remote file and install it on the site.
Deeper analysisAI
CVE-2017-20208 is a PHP Object Injection vulnerability (CWE-502) affecting the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress in all versions up to, but excluding, 3.7.9.3. The issue arises from deserialization of untrusted input in the is_expired_by_date() function, enabling attackers to inject a PHP Object. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying malicious input, they can trigger PHP Object Injection, and the presence of a Proof-of-Concept (POP) chain allows them to fetch a remote file and install it on the targeted site, potentially leading to remote code execution, such as deploying a webshell.
Advisories from Wordfence highlight the availability of a patch in the WordPress plugin trac at changeset 1733274, which addresses the deserialization issue. Security practitioners should urge site administrators to update the RegistrationMagic plugin to version 3.7.9.3 or later to mitigate the vulnerability, as detailed in the referenced threat intelligence and blog posts.
This vulnerability was among three zero-day plugin flaws exploited in the wild, as reported by Wordfence in 2017, underscoring its real-world impact prior to formal CVE assignment.
Details
- CWE(s)