CVE-2026-49764

RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.0.8.7
Patched in
7d
Time to patch

Description

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.0.8.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.0.8.6
PublishedJune 4, 2026
Last updatedJune 10, 2026

What Changed in the Fix

Changes introduced in v6.0.8.7

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-49764** in the **RegistrationMagic** plugin for WordPress. The vulnerability is a **Missing Authorization** flaw that allows unauthenticated attackers to access administrative controller methods and render admin-only templates. --- ### 1. Vulnerab…

Show full research plan

This exploitation research plan targets CVE-2026-49764 in the RegistrationMagic plugin for WordPress. The vulnerability is a Missing Authorization flaw that allows unauthenticated attackers to access administrative controller methods and render admin-only templates.


1. Vulnerability Summary

The RegistrationMagic plugin utilizes a custom MVC architecture to handle administrative requests. The plugin registers an AJAX action (typically rm_admin_data) that dispatches requests to various controllers. In versions up to and including 6.0.8.6, this dispatcher fails to verify if the requesting user has the manage_options capability before executing the requested controller method. Consequently, unauthenticated attackers can trigger methods in classes like RM_Support_Controller, leading to unauthorized access to administrative data and the leakage of security nonces.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: rm_admin_data (The primary dispatcher for RegistrationMagic admin functions).
  • Parameters:
    • action: rm_admin_data
    • rm_action: The specific controller method to invoke (e.g., support_premium_page, support_forum).
    • rm_form_id: (Optional) Required by some views to prevent errors.
  • Authentication: None Required (Unauthenticated).
  • Preconditions: The plugin must be active.

3. Code Flow

  1. Entry Point: An unauthenticated user sends a POST request to admin-ajax.php with action=rm_admin_data.
  2. Dispatching: The plugin's dispatcher (in the core RM class) receives the request. It fails to check current_user_can('manage_options').
  3. Controller Invocation: The dispatcher uses the rm_action parameter to identify the target controller. For support_... actions, it instantiates RM_Support_Controller from admin/controllers/class_rm_support_controller.php.
  4. Method Execution: If rm_action is support_premium_page, the `premium
Research Findings
Static analysis — not yet PoC-verified

Summary

The RegistrationMagic plugin for WordPress fails to implement a capability check in its administrative AJAX dispatcher for the 'rm_admin_data' action. This allows unauthenticated attackers to execute administrative controller methods and render admin-only templates, leading to the leakage of administrative information and security nonces.

Vulnerable Code

// admin/controllers/class_rm_support_controller.php

class RM_Support_Controller
{
    public $mv_handler;

    function __construct(){
        $this->mv_handler= new RM_Model_View_Handler();
    }

    public function forum($model,$service,$request,$params){
        $view= $this->mv_handler->setView('support');
        $view->render();
    }
    
    // ... (other methods like frontend, whats_new, premium_page) ...
    
    public function premium_page($model,$service,$request,$params){
        $view= $this->mv_handler->setView('premium');
        $view->render();
    }

    public function extensions_page($model,$service,$request,$params){
        $view= $this->mv_handler->setView('extensions');
        $view->render();
    }
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.6/admin/controllers/class_rm_support_controller.php /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.7/admin/controllers/class_rm_support_controller.php
--- /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.6/admin/controllers/class_rm_support_controller.php	2026-05-06 12:32:14.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.7/admin/controllers/class_rm_support_controller.php	2026-05-15 11:00:52.000000000 +0000
@@ -1,46 +1,46 @@
-<?php
-
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-
-/**
- *
- *
- * @author CMSHelplive
- */
-class RM_Support_Controller
-{
-    public $mv_handler;
-
-    function __construct(){
-        $this->mv_handler= new RM_Model_View_Handler();
-    }
-
-    public function forum($model,$service,$request,$params){
-        $view= $this->mv_handler->setView('support');
-        $view->render();
-    }
-    
-    public function frontend($model,$service,$request,$params){
-        $view= $this->mv_handler->setView('frontend_primer');
-        $view->render();
-    }
-    
-    public function whats_new($model,$service,$request,$params){
-        $view= $this->mv_handler->setView('whats_new');
-        $view->render();
-    }
-    
-    public function premium_page($model,$service,$request,$params){
-        $view= $this->mv_handler->setView('premium');
-        $view->render();
-    }
-
-    public function extensions_page($model,$service,$request,$params){
-        $view= $this->mv_handler->setView('extensions');
-        $view->render();
-    }
-}
+<?php
+
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+/**
+ *
+ *
+ * @author CMSHelplive
+ */
+class RM_Support_Controller
+{
+    public $mv_handler;
+
+    function __construct(){
+        $this->mv_handler= new RM_Model_View_Handler();
+    }
+
+    public function forum($model,$service,$request,$params){
+        $view= $this->mv_handler->setView('support');
+        $view->render();
+    }
+    
+    public function frontend($model,$service,$request,$params){
+        $view= $this->mv_handler->setView('frontend_primer');
+        $view->render();
+    }
+    
+    public function whats_new($model,$service,$request,$params){
+        $view= $this->mv_handler->setView('whats_new');
+        $view->render();
+    }
+    
+    public function premium_page($model,$service,$request,$params){
+        $view= $this->mv_handler->setView('premium');
+        $view->render();
+    }
+
+    public function extensions_page($model,$service,$request,$params){
+        $view= $this->mv_handler->setView('extensions');
+        $view->render();
+    }
+}
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.6/admin/views/class_rm_view_admin.php /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.7/admin/views/class_rm_view_admin.php
--- /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.6/admin/views/class_rm_view_admin.php	2026-05-06 12:32:14.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/custom-registration-form-builder-with-submission-manager/6.0.8.7/admin/views/class_rm_view_admin.php	2026-05-15 11:00:52.000000000 +0000
@@ -43,7 +43,8 @@
             !str_contains($this->view_file,'template_rm_dashboard_widget') &&
             !str_contains($this->view_file,'template_rm_formflow_main') &&
             !str_contains($this->view_file,'template_rm_form_preview') &&
-            !str_contains($this->view_file,'template_rm_user_edit_widget')
+            !str_contains($this->view_file,'template_rm_user_edit_widget') &&
+            !str_contains($this->view_file,'template_rm_premium')
         ) {
             include_once 'template_rm_header.php';
         }
@@ -54,7 +55,8 @@
             !str_contains($this->view_file,'template_rm_dashboard_widget') &&
             !str_contains($this->view_file,'template_rm_formflow_main') &&
             !str_contains($this->view_file,'template_rm_form_preview') &&
-            !str_contains($this->view_file,'template_rm_user_edit_widget')
+            !str_contains($this->view_file,'template_rm_user_edit_widget') &&
+            !str_contains($this->view_file,'template_rm_premium')
         ) {
             include_once 'template_rm_promo_banner_bottom.php';
             include_once 'template_rm_footer.php';

Exploit Outline

The exploit targets the AJAX dispatcher in RegistrationMagic which fails to verify administrative capabilities. An unauthenticated attacker can send a POST request to `/wp-admin/admin-ajax.php` with the parameter 'action' set to 'rm_admin_data' and 'rm_action' set to an administrative controller method, such as 'support_premium_page'. Because the dispatcher lacks a `current_user_can('manage_options')` check, it instantiates the target controller and executes the method. The resulting response contains the HTML of the administrative template, which may expose system configuration details and security nonces that can be used in subsequent attacks.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.