RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 - Missing Authorization
Description
The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.0.8.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.0.8.6What Changed in the Fix
Changes introduced in v6.0.8.7
Source Code
WordPress.org SVNThis exploitation research plan targets **CVE-2026-49764** in the **RegistrationMagic** plugin for WordPress. The vulnerability is a **Missing Authorization** flaw that allows unauthenticated attackers to access administrative controller methods and render admin-only templates. --- ### 1. Vulnerab…
Show full research plan
This exploitation research plan targets CVE-2026-49764 in the RegistrationMagic plugin for WordPress. The vulnerability is a Missing Authorization flaw that allows unauthenticated attackers to access administrative controller methods and render admin-only templates.
1. Vulnerability Summary
The RegistrationMagic plugin utilizes a custom MVC architecture to handle administrative requests. The plugin registers an AJAX action (typically rm_admin_data) that dispatches requests to various controllers. In versions up to and including 6.0.8.6, this dispatcher fails to verify if the requesting user has the manage_options capability before executing the requested controller method. Consequently, unauthenticated attackers can trigger methods in classes like RM_Support_Controller, leading to unauthorized access to administrative data and the leakage of security nonces.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
rm_admin_data(The primary dispatcher for RegistrationMagic admin functions). - Parameters:
action:rm_admin_datarm_action: The specific controller method to invoke (e.g.,support_premium_page,support_forum).rm_form_id: (Optional) Required by some views to prevent errors.
- Authentication: None Required (Unauthenticated).
- Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: An unauthenticated user sends a
POSTrequest toadmin-ajax.phpwithaction=rm_admin_data. - Dispatching: The plugin's dispatcher (in the core RM class) receives the request. It fails to check
current_user_can('manage_options'). - Controller Invocation: The dispatcher uses the
rm_actionparameter to identify the target controller. Forsupport_...actions, it instantiatesRM_Support_Controllerfromadmin/controllers/class_rm_support_controller.php. - Method Execution: If
rm_actionissupport_premium_page, the `premium
Summary
The RegistrationMagic plugin for WordPress fails to implement a capability check in its administrative AJAX dispatcher for the 'rm_admin_data' action. This allows unauthenticated attackers to execute administrative controller methods and render admin-only templates, leading to the leakage of administrative information and security nonces.
Vulnerable Code
// admin/controllers/class_rm_support_controller.php class RM_Support_Controller { public $mv_handler; function __construct(){ $this->mv_handler= new RM_Model_View_Handler(); } public function forum($model,$service,$request,$params){ $view= $this->mv_handler->setView('support'); $view->render(); } // ... (other methods like frontend, whats_new, premium_page) ... public function premium_page($model,$service,$request,$params){ $view= $this->mv_handler->setView('premium'); $view->render(); } public function extensions_page($model,$service,$request,$params){ $view= $this->mv_handler->setView('extensions'); $view->render(); } }
Security Fix
@@ -1,46 +1,46 @@ -<?php - -/* - * To change this license header, choose License Headers in Project Properties. - * To change this template file, choose Tools | Templates - * and open the template in the editor. - */ - -/** - * - * - * @author CMSHelplive - */ -class RM_Support_Controller -{ - public $mv_handler; - - function __construct(){ - $this->mv_handler= new RM_Model_View_Handler(); - } - - public function forum($model,$service,$request,$params){ - $view= $this->mv_handler->setView('support'); - $view->render(); - } - - public function frontend($model,$service,$request,$params){ - $view= $this->mv_handler->setView('frontend_primer'); - $view->render(); - } - - public function whats_new($model,$service,$request,$params){ - $view= $this->mv_handler->setView('whats_new'); - $view->render(); - } - - public function premium_page($model,$service,$request,$params){ - $view= $this->mv_handler->setView('premium'); - $view->render(); - } - - public function extensions_page($model,$service,$request,$params){ - $view= $this->mv_handler->setView('extensions'); - $view->render(); - } -} +<?php + +/* + * To change this license header, choose License Headers in Project Properties. + * To change this template file, choose Tools | Templates + * and open the template in the editor. + */ + +/** + * + * + * @author CMSHelplive + */ +class RM_Support_Controller +{ + public $mv_handler; + + function __construct(){ + $this->mv_handler= new RM_Model_View_Handler(); + } + + public function forum($model,$service,$request,$params){ + $view= $this->mv_handler->setView('support'); + $view->render(); + } + + public function frontend($model,$service,$request,$params){ + $view= $this->mv_handler->setView('frontend_primer'); + $view->render(); + } + + public function whats_new($model,$service,$request,$params){ + $view= $this->mv_handler->setView('whats_new'); + $view->render(); + } + + public function premium_page($model,$service,$request,$params){ + $view= $this->mv_handler->setView('premium'); + $view->render(); + } + + public function extensions_page($model,$service,$request,$params){ + $view= $this->mv_handler->setView('extensions'); + $view->render(); + } +} @@ -43,7 +43,8 @@ !str_contains($this->view_file,'template_rm_dashboard_widget') && !str_contains($this->view_file,'template_rm_formflow_main') && !str_contains($this->view_file,'template_rm_form_preview') && - !str_contains($this->view_file,'template_rm_user_edit_widget') + !str_contains($this->view_file,'template_rm_user_edit_widget') && + !str_contains($this->view_file,'template_rm_premium') ) { include_once 'template_rm_header.php'; } @@ -54,7 +55,8 @@ !str_contains($this->view_file,'template_rm_dashboard_widget') && !str_contains($this->view_file,'template_rm_formflow_main') && !str_contains($this->view_file,'template_rm_form_preview') && - !str_contains($this->view_file,'template_rm_user_edit_widget') + !str_contains($this->view_file,'template_rm_user_edit_widget') && + !str_contains($this->view_file,'template_rm_premium') ) { include_once 'template_rm_promo_banner_bottom.php'; include_once 'template_rm_footer.php';
Exploit Outline
The exploit targets the AJAX dispatcher in RegistrationMagic which fails to verify administrative capabilities. An unauthenticated attacker can send a POST request to `/wp-admin/admin-ajax.php` with the parameter 'action' set to 'rm_admin_data' and 'rm_action' set to an administrative controller method, such as 'support_premium_page'. Because the dispatcher lacks a `current_user_can('manage_options')` check, it instantiates the target controller and executes the method. The resulting response contains the HTML of the administrative template, which may expose system configuration details and security nonces that can be used in subsequent attacks.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.