[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjqR4PqcMykk0Exgttdc0tTGbsk6SLhBs6PWyVC8ScyA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-0929","registrationmagic-missing-authorization-2","RegistrationMagic \u003C 6.0.7.2 - Missing Authorization","The RegistrationMagic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 6.0.7.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","custom-registration-form-builder-with-submission-manager",null,"\u003C6.0.7.2","6.0.7.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-16 00:00:00","2026-02-24 19:24:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F91a83f52-069e-4611-9b46-4a1913e23f42?source=api-prod",9,[],"researched",false,3,"# Research Plan: CVE-2026-0929 - RegistrationMagic Missing Authorization\n\n## 1. Vulnerability Summary\nThe **RegistrationMagic** plugin (versions prior to 6.0.7.2) contains a missing capability check in one of its AJAX handlers. This vulnerability allows an authenticated user with Subscriber-level permissions to execute a function intended for administrators. In the context of RegistrationMagic, this typically involves administrative actions such as modifying user metadata, managing form submissions, or altering plugin configurations.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** POST\n* **Action (Inferred):** The vulnerability likely resides in an action registered via `wp_ajax_` that lacks a `current_user_can()` check. Based on similar vulnerabilities in this plugin, candidate actions often involve `rm_` prefixes, such as `rm_save_submission_field`, `rm_login_view_sett`, or actions within the `RM_Main_Ajax` class.\n* **Payload Parameters:** `action=[VULNERABLE_ACTION]`, `[NONCE_PARAM]=[NONCE_VALUE]`, and data parameters (e.g., `user_id`, `meta_key`, `config_data`).\n* **Authentication:** Subscriber-level (Logged-in) is required.\n* **Precondition:** A valid nonce for the specific AJAX action is usually required, even if the capability check is missing.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An AJAX request is sent to `admin-ajax.php` with a specific `action` parameter.\n2. **Hook Registration:** The plugin registers the action in a core file (likely `public\u002Fclass_rm_public.php` or `admin\u002Fclass_rm_admin.php`) using:\n `add_action('wp_ajax_rm_some_admin_action', array($this, 'callback_function'));`\n3. **Vulnerable Callback:** The `callback_function` is executed.\n4. **Authorization Failure:** The function may check a nonce using `check_ajax_referer` but fails to call `current_user_can('manage_options')` or a similar capability check.\n5. **Sink:** The function performs a privileged operation (e.g., `update_option`, `wp_update_user`, or database modification via `$wpdb`).\n\n## 4. Nonce Acquisition Strategy\nRegistrationMagic heavily uses localized scripts to pass nonces to the frontend.\n\n1. **Identify Localized Data:** Search the plugin source for `wp_localize_script`.\n * *Target:* `grep -rn \"wp_localize_script\" .`\n * *Common variable names:* `rm_ajax_objects`, `rm_admin_vars`, or `rm_data`.\n2. **Determine Nonce Key:** Look for the key associated with the vulnerable action.\n * *Example:* `window.rm_ajax_objects?.nonce` or `window.rm_admin_vars?.rm_nonce`.\n3. **Setup Page for Extraction:**\n * Create a page containing a RegistrationMagic shortcode (e.g., `[RM_Form id='1']`) to ensure the plugin's JS and nonces are loaded.\n * `wp post create --post_type=page --post_status=publish --post_content='[RM_Form id=\"1\"]' --post_title='Exploit Research'`\n4. **Browser Extraction:**\n * Navigate to the newly created page as a Subscriber user.\n * Execute: `browser_eval(\"window.rm_ajax_objects.nonce\")` (Verify exact object name in source).\n\n## 5. Exploitation Strategy\n### Step 1: Discovery (Identification of the exact sink)\nSearch for AJAX actions that perform sensitive tasks but lack capability checks:\n```bash\ngrep -rn \"add_action.*wp_ajax_\" . | grep -v \"nopriv\"\n```\nExamine the callback functions for those actions. Look for ones that DO NOT contain `current_user_can`.\n\n### Step 2: Payload Construction\nAssuming a common pattern where an administrative action is exposed (e.g., updating a setting):\n* **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Subscriber_Cookies]`\n* **Body:** \n `action=[VULNERABLE_ACTION]&security=[NONCE]¶m_name=[VALUE]`\n\n### Step 3: Execution\nUse the `http_request` tool to send the POST request.\n\n## 6. Test Data Setup\n1. **Create Subscriber User:**\n `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2. **Identify\u002FCreate a Form:**\n `wp plugin get custom-registration-form-builder-with-submission-manager`\n (Check if any default forms exist; if not, use RegistrationMagic's UI or CLI if available to create a simple form).\n3. **Publish Page:**\n Place the form shortcode on a public-facing page to ensure the Subscriber can access it and get the nonce.\n\n## 7. Expected Results\n* **Response:** The server returns a `200 OK` (often with a JSON success message or `1`) instead of a `403 Forbidden` or `0`.\n* **Side Effect:** The administrative action (e.g., a setting change or user meta update) is successfully performed despite the requester being a Subscriber.\n\n## 8. Verification Steps\n1. **Check Plugin State:** Use WP-CLI to verify if the unauthorized change persisted.\n * `wp option get [modified_option_name]`\n * `wp user meta get [target_user_id] [modified_meta_key]`\n2. **Log Review:** Check the `error_log` if the exploit triggered any PHP notices that confirm the execution path.\n\n## 9. Alternative Approaches\n* **Parameter Polarity:** If the direct action is not obvious, look for \"gateway\" AJAX handlers (e.g., `rm_admin_action`) that take a sub-action parameter. These often route to multiple functions, some of which may be missing checks.\n* **Submission Manipulation:** If the vulnerability is in the submission manager, try modifying the `status` or `user_role` associated with a form submission to elevate the attacker's privileges upon form approval.\n* **Search Patterns:**\n ```bash\n # Find all AJAX callbacks\n grep -r \"function .*Ajax\" .\n # Look for missing capability checks in those files\n grep -L \"current_user_can\" [file_paths]\n ```","RegistrationMagic versions before 6.0.7.2 are vulnerable to missing authorization in AJAX handlers. Authenticated users with subscriber-level permissions can execute administrative functions via the admin-ajax.php endpoint because the plugin fails to perform capability checks on certain internal actions.","1. Authenticate as a subscriber-level user.\n2. Obtain a valid AJAX nonce by inspecting the localized JavaScript on a page containing a RegistrationMagic form (usually found in the 'rm_ajax_objects' global object).\n3. Identify a vulnerable AJAX action (prefixed with 'rm_') that lacks a 'current_user_can' check in its callback function within the plugin source.\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the target function and include the extracted security nonce.\n5. The server will execute the privileged administrative action despite the requester having only subscriber-level permissions.","gemini-3-flash-preview","2026-04-20 22:01:13","2026-04-20 22:02:55",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","6.0.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]