[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpqk-Pgm8CIXmorhVTFUF6xHvk0dpUMIuRzLkKkJCREA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32498","registrationmagic-custom-registration-forms-user-registration-payment-and-user-login-missing-authorization","RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login \u003C= 6.0.7.6 - Missing Authorization","The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.0.7.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","custom-registration-form-builder-with-submission-manager",null,"\u003C=6.0.7.6","6.0.7.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-20 00:00:00","2026-03-27 18:49:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff6515d70-438b-47b7-a3c4-5b8dc401a40e?source=api-prod",8,[22,23,24,25,26,27,28,29],"includes\u002Fclass_registration_magic.php","includes\u002Fclass_rm_email.php","languages\u002Fcustom-registration-form-builder-with-submission-manager.pot","public\u002Fclass_rm_public.php","readme.txt","registration_magic.php","services\u002Fclass_rm_front_service.php","services\u002Fclass_rm_services.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32498 (RegistrationMagic Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **RegistrationMagic** plugin for WordPress (versions \u003C= 6.0.7.6) contains a missing authorization vulnerability. Multiple AJAX actions registered via `wp_ajax_` and `wp_ajax_nopriv_` fail to implement capability checks (e.g., `current_user_can('manage_options')`) and often lack nonce verification. This allows unauthenticated attackers to perform unauthorized actions, such as modifying plugin settings (e.g., dismissing banners), triggering test emails with arbitrary SMTP configurations, or altering form behaviors.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `review_banner_handler` (Primary PoC) or `rm_test_smtp_config` (High Impact PoC)\n- **Authentication:** Unauthenticated (accessible via `wp_ajax_nopriv_`)\n- **Preconditions:** The plugin must be active. For the SMTP PoC, the server must be able to make outbound connections.\n- **Vulnerable Parameter:** `operation` (for `review_banner_handler`).\n\n## 3. Code Flow\n1. **Hook Registration:** In `includes\u002Fclass_registration_magic.php`, the plugin registers AJAX handlers:\n - `wp_ajax_review_banner_handler` calls `RM_Utilities::handle_rating_operations`.\n -","RegistrationMagic versions up to 6.0.7.6 are vulnerable to missing authorization on several AJAX handlers. This allows authenticated users (such as Subscribers) and in some cases unauthenticated attackers to modify plugin settings, trigger SMTP tests with arbitrary configurations, or dismiss administrative banners because the handlers lack capability checks like current_user_can().","\u002F\u002F includes\u002Fclass_registration_magic.php:1222\npublic function rm_options_default_payment_method(){\n if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {\n if(!empty($_REQUEST['payment_method'])) {\n update_option('rm_option_default_payment_method',sanitize_text_field($_REQUEST['payment_method']));\n }\n echo \"saved\";\n }\n die;\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.6\u002Fincludes\u002Fclass_registration_magic.php\t2026-02-09 06:09:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.7\u002Fincludes\u002Fclass_registration_magic.php\t2026-02-19 10:09:18.000000000 +0000\n@@ -1220,7 +1220,7 @@\n }\n }\n public function rm_options_default_payment_method(){\n- if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {\n+ if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce') && (current_user_can('manage_options') || current_user_can('rm_options_managemanage_options'))) {\n if(!empty($_REQUEST['payment_method'])) {\n update_option('rm_option_default_payment_method',sanitize_text_field($_REQUEST['payment_method']));\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.6\u002Fincludes\u002Fclass_rm_email.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.7\u002Fincludes\u002Fclass_rm_email.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.6\u002Fincludes\u002Fclass_rm_email.php\t2026-02-09 06:09:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.7\u002Fincludes\u002Fclass_rm_email.php\t2026-02-19 10:09:18.000000000 +0000\n@@ -133,11 +133,7 @@\n *\u002F\n public function from($from, $name = '', $replyto = true) {\n if (!empty($from)) {\n- if (empty($name)) {\n- $this->set_header('From', $from);\n- } else {\n- $this->set_header('From', sprintf('%s \u003C%s>', $name, $from));\n- }\n+ $this->set_header('From', $from);\n $this->from = $from;\n $this->from_name = $name;\n if($replyto) {","The exploit targets AJAX actions registered via the RM_Loader in class_registration_magic.php. An attacker needs to obtain a valid nonce (such as rm_ajax_secure) which is often present in the frontend for logged-in users. By sending a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with an action like 'rm_options_default_payment_method' and an arbitrary 'payment_method' value, a low-privileged user (Subscriber) can overwrite plugin options. Other actions like 'rm_test_smtp_config' can be abused to trigger outbound emails with arbitrary SMTP credentials if those handlers also fail to check for administrative capabilities.","gemini-3-flash-preview","2026-04-18 02:04:43","2026-04-18 02:05:32",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.0.7.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]