WP-Safety
CVE-2026-1054

RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.0.7.5
Patched in
1d
Time to patch

Description

The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.0.7.4
PublishedJanuary 27, 2026
Last updatedJanuary 28, 2026
Affected plugincustom-registration-form-builder-with-submission-manager

Source Code

WordPress.org SVN
Vulnerable v6.0.7.4
Browse source Download .zip
Patched v6.0.7.5
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1054 ## 1. Vulnerability Summary The **RegistrationMagic** plugin (versions <= 6.0.7.4) contains a critical missing authorization vulnerability in its AJAX handling logic. Specifically, the action `rm_set_otp` is registered for both authenticated and unauthent…

Show full research plan

Exploitation Research Plan: CVE-2026-1054

1. Vulnerability Summary

The RegistrationMagic plugin (versions <= 6.0.7.4) contains a critical missing authorization vulnerability in its AJAX handling logic. Specifically, the action rm_set_otp is registered for both authenticated and unauthenticated users (wp_ajax_rm_set_otp and wp_ajax_nopriv_rm_set_otp) but fails to implement any nonce verification or capability checks (current_user_can). This allows an unauthenticated attacker to invoke the handler and modify arbitrary global plugin settings stored in the database.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: rm_set_otp
  • Method: POST
  • Authentication: None Required (Unauthenticated)
  • Vulnerable Parameter(s):
    • key (inferred): The specific setting key within the global options array to modify.
    • val (inferred): The value to assign to that setting.
  • Preconditions: The plugin must be active.

3. Code Flow (Inferred)

  1. Entry Point: The request hits admin-ajax.php with action=rm_set_otp.
  2. Hook Trigger: WordPress executes the hook wp_ajax_nopriv_rm_set_otp.
  3. Handler Execution: The plugin's AJAX service (likely RM_Ajax_Service::rm_set_otp) is called.
  4. Processing:
    • The handler retrieves values from $_POST['key'] and $_POST['val'] (or similarly named parameters).
    • It fetches the global settings array (usually the option rm_option_global).
    • It updates the array element corresponding to the provided key with the provided val.
  5. Sink: update_option('rm_option_global', $updated_settings) is called without validating if the requester has administrative privileges.

4. Nonce Acquisition Strategy

According to the vulnerability description, the rm_set_otp handler completely lacks nonce verification.

Conclusion: No nonce is required for exploitation. The request can be sent directly to the AJAX endpoint.

5. Exploitation Strategy

Step 1: Discover Actual Parameter Names

Since source code was not provided, the first step for the automated agent is to identify the exact parameter names used in the rm_set_otp function.

  • Action: Use grep to find the function definition.
  • Command: grep -rn "function rm_set_otp" /var/www/html/wp-content/plugins/custom-registration-form-builder-with-submission-manager/

Step 2: Formulate Payload

Based on RegistrationMagic's standard setting structure, the exploit will attempt to modify the public_key (reCAPTCHA) or a frontend string like sub_title_sub_manager.

Target Payload (Likely):

  • action: rm_set_otp
  • key: public_key
  • val: PWNED_RECAPTCHA_KEY

Step 3: Execute Attack

Using the http_request tool:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=rm_set_otp&key=public_key&val=PWNED_RECAPTCHA_KEY (Verify parameter names from Step 1 first).

6. Test Data Setup

  1. Install Plugin: Ensure RegistrationMagic v6.0.7.4 is installed and activated.
  2. Initial State: Check the current global options to have a baseline.
    • wp option get rm_option_global --format=json

7. Expected Results

  • HTTP Response: The server should return a successful status (200 OK) and likely a '1' or a JSON success message (typical of WordPress AJAX).
  • Outcome: The rm_option_global entry in the wp_options table will be updated. Specifically, the public_key (or chosen key) will now reflect the attacker's value.

8. Verification Steps

After the exploit attempt, verify the change via WP-CLI:

  1. Check Options:
    • wp option get rm_option_global --format=json | grep PWNED_RECAPTCHA_KEY
  2. Success Condition: If the output contains PWNED_RECAPTCHA_KEY, the arbitrary settings modification is confirmed.

9. Alternative Approaches

If key/val parameters do not work, use the following fallback strategies:

  • Check for rm_ prefix: Try rm_option_name and rm_option_value.
  • Check for otp_ prefix: Since the function name is rm_set_otp, the parameters might be otp_key or otp_value.
  • Direct Option Update: Investigate if the handler allows passing an entire array of settings instead of a single key-value pair.
  • Inspect RM_Ajax_Service.php: Use cat on the file containing rm_set_otp to read the logic directly before sending the HTTP request. This is the most reliable way to determine the expected POST keys.
Research Findings
Static analysis — not yet PoC-verified

Summary

The RegistrationMagic plugin for WordPress fails to perform authorization or nonce validation on the 'rm_set_otp' AJAX action, which is registered for unauthenticated users. This allows remote attackers to modify arbitrary global plugin settings, such as reCAPTCHA keys or security options, by specifying a key-value pair in a request to the AJAX endpoint.

Security Fix

--- a/admin/controllers/class_rm_ajax_service.php
+++ b/admin/controllers/class_rm_ajax_service.php
@@ -12,6 +12,10 @@
     public function rm_set_otp() {
+        if (!current_user_can('manage_options')) {
+            wp_die(-1);
+        }
+        check_ajax_referer('rm_admin_nonce', 'security');
         $key = sanitize_text_field($_POST['key']);
         $val = sanitize_text_field($_POST['val']);
         $options = new RM_Options;
         $options->set_value($key, $val);
         wp_die();
     }

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker sends a POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'rm_set_otp'. The payload must include a 'key' parameter corresponding to a global option key (e.g., 'public_key' for reCAPTCHA) and a 'val' parameter containing the attacker's desired value. Because the handler lacks 'current_user_can()' and 'check_ajax_referer()' checks, the plugin updates its global settings array with the provided values.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database