WP-Safety
CVE-2026-32498

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.0.7.7
Patched in
8d
Time to patch

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.0.7.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.0.7.6
PublishedMarch 20, 2026
Last updatedMarch 27, 2026
Affected plugincustom-registration-form-builder-with-submission-manager

What Changed in the Fix

Changes introduced in v6.0.7.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v6.0.7.6
Browse source Download .zip
Patched v6.0.7.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32498 (RegistrationMagic Missing Authorization) ## 1. Vulnerability Summary The **RegistrationMagic** plugin for WordPress (versions <= 6.0.7.6) contains a missing authorization vulnerability. Multiple AJAX actions registered via `wp_ajax_` and `wp_ajax_nopri…

Show full research plan

Exploitation Research Plan - CVE-2026-32498 (RegistrationMagic Missing Authorization)

1. Vulnerability Summary

The RegistrationMagic plugin for WordPress (versions <= 6.0.7.6) contains a missing authorization vulnerability. Multiple AJAX actions registered via wp_ajax_ and wp_ajax_nopriv_ fail to implement capability checks (e.g., current_user_can('manage_options')) and often lack nonce verification. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings (e.g., dismissing banners), triggering test emails with arbitrary SMTP configurations, or altering form behaviors.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: review_banner_handler (Primary PoC) or rm_test_smtp_config (High Impact PoC)
  • Authentication: Unauthenticated (accessible via wp_ajax_nopriv_)
  • Preconditions: The plugin must be active. For the SMTP PoC, the server must be able to make outbound connections.
  • Vulnerable Parameter: operation (for review_banner_handler).

3. Code Flow

  1. Hook Registration: In includes/class_registration_magic.php, the plugin registers AJAX handlers:
    • wp_ajax_review_banner_handler calls RM_Utilities::handle_rating_operations.
Research Findings
Static analysis — not yet PoC-verified

Summary

RegistrationMagic versions up to 6.0.7.6 are vulnerable to missing authorization on several AJAX handlers. This allows authenticated users (such as Subscribers) and in some cases unauthenticated attackers to modify plugin settings, trigger SMTP tests with arbitrary configurations, or dismiss administrative banners because the handlers lack capability checks like current_user_can().

Vulnerable Code

// includes/class_registration_magic.php:1222
public function rm_options_default_payment_method(){
    if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {
        if(!empty($_REQUEST['payment_method'])) {
            update_option('rm_option_default_payment_method',sanitize_text_field($_REQUEST['payment_method']));
        }
        echo "saved";
    }
    die;
}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.7.6/includes/class_registration_magic.php	2026-02-09 06:09:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.7.7/includes/class_registration_magic.php	2026-02-19 10:09:18.000000000 +0000
@@ -1220,7 +1220,7 @@
         }
     }
     public function rm_options_default_payment_method(){
-        if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {
+        if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce') && (current_user_can('manage_options') || current_user_can('rm_options_managemanage_options'))) {
             if(!empty($_REQUEST['payment_method'])) {
                 update_option('rm_option_default_payment_method',sanitize_text_field($_REQUEST['payment_method']));
             }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.7.6/includes/class_rm_email.php /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.7.7/includes/class_rm_email.php
--- /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.7.6/includes/class_rm_email.php	2026-02-09 06:09:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.7.7/includes/class_rm_email.php	2026-02-19 10:09:18.000000000 +0000
@@ -133,11 +133,7 @@
     */
     public function from($from, $name = '', $replyto = true) {
         if (!empty($from)) {
-            if (empty($name)) {
-                $this->set_header('From', $from);
-            } else {
-                $this->set_header('From', sprintf('%s <%s>', $name, $from));
-            }
+            $this->set_header('From', $from);
             $this->from = $from;
             $this->from_name = $name;
             if($replyto) {

Exploit Outline

The exploit targets AJAX actions registered via the RM_Loader in class_registration_magic.php. An attacker needs to obtain a valid nonce (such as rm_ajax_secure) which is often present in the frontend for logged-in users. By sending a POST request to /wp-admin/admin-ajax.php with an action like 'rm_options_default_payment_method' and an arbitrary 'payment_method' value, a low-privileged user (Subscriber) can overwrite plugin options. Other actions like 'rm_test_smtp_config' can be abused to trigger outbound emails with arbitrary SMTP credentials if those handlers also fail to check for administrative capabilities.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f6515d70-438b-47b7-a3c4-5b8dc401a40e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database