Skip to main content

RegistrationMagic CVE-2026-9242

| EUVDEUVD-2026-39949 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-27 Wordfence GHSA-jxxc-m933-38gm
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
8.7 HIGH

AC:H reflects prerequisite security hash from prior legitimate payment; S:C and C:H/I:H reflect full admin account takeover outcome, not the scored I:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 07:52 vuln.today
CVE Published
Jun 27, 2026 - 06:50 cve.org
MEDIUM 5.3

DescriptionCVE.org

The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN callback handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data - including payment_status and the custom field encoding the target user_id - before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's user_id with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.

AnalysisAI

Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Complete legitimate payment on target site
Delivery
Obtain security hash from own transaction
Exploit
POST forged IPN with admin user_id to nopriv AJAX endpoint
Install
Plugin writes poisoned user_id to DB before PayPal validation
C2
IPN validation fails but DB poisoning persists
Execute
Visit success return URL with legitimate security hash
Impact
Receive WordPress admin session cookies

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions to be met simultaneously. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS base score of 5.3 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N substantially misrepresents the actual impact: the described outcome is full administrative account takeover, not a minor integrity modification - C:N and I:L are inconsistent with an attacker receiving valid admin-level WordPress session cookies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has previously completed a legitimate payment on the target WordPress site - obtaining a valid security hash tied to their own payment log entry - submits a crafted unauthenticated HTTP POST to the site's AJAX endpoint targeting the rm_paypal_ipn action, with the custom field encoding the user_id of an administrator account (commonly user ID 1 or 2) and a fabricated payment_status value. The plugin immediately writes the admin's user_id into the payment log database before contacting PayPal for validation; even when PayPal rejects the forged IPN, the database row retains the admin's user_id. …
Remediation A code fix has been committed to the plugin trunk in the WordPress SVN repository (changeset 3532900), but the version number of a stable patched release has not been independently confirmed from available data - site administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/1dcf68fd-e9d3-4a46-8bd4-15c2598b91fe and the official WordPress plugin page for a release beyond 6.0.8.6 incorporating this fix, and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy