[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsCtxhof86-ipiiP5PRLik62BsOaYhjnIUmS85mIMHr0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-49764","registrationmagic-user-registration-forms-plugin-missing-authorization","RegistrationMagic – User Registration Forms Plugin \u003C= 6.0.8.6 - Missing Authorization","The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.0.8.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.","custom-registration-form-builder-with-submission-manager",null,"\u003C=6.0.8.6","6.0.8.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-04 00:00:00","2026-06-10 17:58:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F24986bbe-6584-4d0a-829c-684c60527482?source=api-prod",7,[22,23,24,25],"admin\u002Fcontrollers\u002Fclass_rm_support_controller.php","admin\u002Fviews\u002Fclass_rm_view_admin.php","admin\u002Fviews\u002Ftemplate_rm_form_settings.php","admin\u002Fviews\u002Ftemplate_rm_premium.php","researched",false,3,"This exploitation research plan targets **CVE-2026-49764** in the **RegistrationMagic** plugin for WordPress. The vulnerability is a **Missing Authorization** flaw that allows unauthenticated attackers to access administrative controller methods and render admin-only templates.\n\n---\n\n### 1. Vulnerability Summary\nThe RegistrationMagic plugin utilizes a custom MVC architecture to handle administrative requests. The plugin registers an AJAX action (typically `rm_admin_data`) that dispatches requests to various controllers. In versions up to and including **6.0.8.6**, this dispatcher fails to verify if the requesting user has the `manage_options` capability before executing the requested controller method. Consequently, unauthenticated attackers can trigger methods in classes like `RM_Support_Controller`, leading to unauthorized access to administrative data and the leakage of security nonces.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `rm_admin_data` (The primary dispatcher for RegistrationMagic admin functions).\n*   **Parameters:** \n    *   `action`: `rm_admin_data`\n    *   `rm_action`: The specific controller method to invoke (e.g., `support_premium_page`, `support_forum`).\n    *   `rm_form_id`: (Optional) Required by some views to prevent errors.\n*   **Authentication:** None Required (**Unauthenticated**).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a `POST` request to `admin-ajax.php` with `action=rm_admin_data`.\n2.  **Dispatching:** The plugin's dispatcher (in the core RM class) receives the request. It fails to check `current_user_can('manage_options')`.\n3.  **Controller Invocation:** The dispatcher uses the `rm_action` parameter to identify the target controller. For `support_...` actions, it instantiates `RM_Support_Controller` from `admin\u002Fcontrollers\u002Fclass_rm_support_controller.php`.\n4.  **Method Execution:** If `rm_action` is `support_premium_page`, the `premium","The RegistrationMagic plugin for WordPress fails to implement a capability check in its administrative AJAX dispatcher for the 'rm_admin_data' action. This allows unauthenticated attackers to execute administrative controller methods and render admin-only templates, leading to the leakage of administrative information and security nonces.","\u002F\u002F admin\u002Fcontrollers\u002Fclass_rm_support_controller.php\n\nclass RM_Support_Controller\n{\n    public $mv_handler;\n\n    function __construct(){\n        $this->mv_handler= new RM_Model_View_Handler();\n    }\n\n    public function forum($model,$service,$request,$params){\n        $view= $this->mv_handler->setView('support');\n        $view->render();\n    }\n    \n    \u002F\u002F ... (other methods like frontend, whats_new, premium_page) ...\n    \n    public function premium_page($model,$service,$request,$params){\n        $view= $this->mv_handler->setView('premium');\n        $view->render();\n    }\n\n    public function extensions_page($model,$service,$request,$params){\n        $view= $this->mv_handler->setView('extensions');\n        $view->render();\n    }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.6\u002Fadmin\u002Fcontrollers\u002Fclass_rm_support_controller.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.7\u002Fadmin\u002Fcontrollers\u002Fclass_rm_support_controller.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.6\u002Fadmin\u002Fcontrollers\u002Fclass_rm_support_controller.php\t2026-05-06 12:32:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.7\u002Fadmin\u002Fcontrollers\u002Fclass_rm_support_controller.php\t2026-05-15 11:00:52.000000000 +0000\n@@ -1,46 +1,46 @@\n-\u003C?php\n-\n-\u002F*\n- * To change this license header, choose License Headers in Project Properties.\n- * To change this template file, choose Tools | Templates\n- * and open the template in the editor.\n- *\u002F\n-\n-\u002F**\n- *\n- *\n- * @author CMSHelplive\n- *\u002F\n-class RM_Support_Controller\n-{\n-    public $mv_handler;\n-\n-    function __construct(){\n-        $this->mv_handler= new RM_Model_View_Handler();\n-    }\n-\n-    public function forum($model,$service,$request,$params){\n-        $view= $this->mv_handler->setView('support');\n-        $view->render();\n-    }\n-    \n-    public function frontend($model,$service,$request,$params){\n-        $view= $this->mv_handler->setView('frontend_primer');\n-        $view->render();\n-    }\n-    \n-    public function whats_new($model,$service,$request,$params){\n-        $view= $this->mv_handler->setView('whats_new');\n-        $view->render();\n-    }\n-    \n-    public function premium_page($model,$service,$request,$params){\n-        $view= $this->mv_handler->setView('premium');\n-        $view->render();\n-    }\n-\n-    public function extensions_page($model,$service,$request,$params){\n-        $view= $this->mv_handler->setView('extensions');\n-        $view->render();\n-    }\n-}\n+\u003C?php\n+\n+\u002F*\n+ * To change this license header, choose License Headers in Project Properties.\n+ * To change this template file, choose Tools | Templates\n+ * and open the template in the editor.\n+ *\u002F\n+\n+\u002F**\n+ *\n+ *\n+ * @author CMSHelplive\n+ *\u002F\n+class RM_Support_Controller\n+{\n+    public $mv_handler;\n+\n+    function __construct(){\n+        $this->mv_handler= new RM_Model_View_Handler();\n+    }\n+\n+    public function forum($model,$service,$request,$params){\n+        $view= $this->mv_handler->setView('support');\n+        $view->render();\n+    }\n+    \n+    public function frontend($model,$service,$request,$params){\n+        $view= $this->mv_handler->setView('frontend_primer');\n+        $view->render();\n+    }\n+    \n+    public function whats_new($model,$service,$request,$params){\n+        $view= $this->mv_handler->setView('whats_new');\n+        $view->render();\n+    }\n+    \n+    public function premium_page($model,$service,$request,$params){\n+        $view= $this->mv_handler->setView('premium');\n+        $view->render();\n+    }\n+\n+    public function extensions_page($model,$service,$request,$params){\n+        $view= $this->mv_handler->setView('extensions');\n+        $view->render();\n+    }\n+}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.6\u002Fadmin\u002Fviews\u002Fclass_rm_view_admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.7\u002Fadmin\u002Fviews\u002Fclass_rm_view_admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.6\u002Fadmin\u002Fviews\u002Fclass_rm_view_admin.php\t2026-05-06 12:32:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.8.7\u002Fadmin\u002Fviews\u002Fclass_rm_view_admin.php\t2026-05-15 11:00:52.000000000 +0000\n@@ -43,7 +43,8 @@\n             !str_contains($this->view_file,'template_rm_dashboard_widget') &&\n             !str_contains($this->view_file,'template_rm_formflow_main') &&\n             !str_contains($this->view_file,'template_rm_form_preview') &&\n-            !str_contains($this->view_file,'template_rm_user_edit_widget')\n+            !str_contains($this->view_file,'template_rm_user_edit_widget') &&\n+            !str_contains($this->view_file,'template_rm_premium')\n         ) {\n             include_once 'template_rm_header.php';\n         }\n@@ -54,7 +55,8 @@\n             !str_contains($this->view_file,'template_rm_dashboard_widget') &&\n             !str_contains($this->view_file,'template_rm_formflow_main') &&\n             !str_contains($this->view_file,'template_rm_form_preview') &&\n-            !str_contains($this->view_file,'template_rm_user_edit_widget')\n+            !str_contains($this->view_file,'template_rm_user_edit_widget') &&\n+            !str_contains($this->view_file,'template_rm_premium')\n         ) {\n             include_once 'template_rm_promo_banner_bottom.php';\n             include_once 'template_rm_footer.php';","The exploit targets the AJAX dispatcher in RegistrationMagic which fails to verify administrative capabilities. An unauthenticated attacker can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter 'action' set to 'rm_admin_data' and 'rm_action' set to an administrative controller method, such as 'support_premium_page'. Because the dispatcher lacks a `current_user_can('manage_options')` check, it instantiates the target controller and executes the method. The resulting response contains the HTML of the administrative template, which may expose system configuration details and security nonces that can be used in subsequent attacks.","gemini-3-flash-preview","2026-06-26 05:06:35","2026-06-26 05:09:08",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.0.8.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.8.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.8.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.8.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.8.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]