Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
AC:H reflects prerequisite security hash from prior legitimate payment; S:C and C:H/I:H reflect full admin account takeover outcome, not the scored I:L.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN callback handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data - including payment_status and the custom field encoding the target user_id - before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's user_id with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.
AnalysisAI
Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions to be met simultaneously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS base score of 5.3 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N substantially misrepresents the actual impact: the described outcome is full administrative account takeover, not a minor integrity modification - C:N and I:L are inconsistent with an attacker receiving valid admin-level WordPress session cookies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has previously completed a legitimate payment on the target WordPress site - obtaining a valid security hash tied to their own payment log entry - submits a crafted unauthenticated HTTP POST to the site's AJAX endpoint targeting the rm_paypal_ipn action, with the custom field encoding the user_id of an administrator account (commonly user ID 1 or 2) and a fabricated payment_status value. The plugin immediately writes the admin's user_id into the payment log database before contacting PayPal for validation; even when PayPal rejects the forged IPN, the database row retains the admin's user_id. … |
| Remediation | A code fix has been committed to the plugin trunk in the WordPress SVN repository (changeset 3532900), but the version number of a stable patched release has not been independently confirmed from available data - site administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/1dcf68fd-e9d3-4a46-8bd4-15c2598b91fe and the official WordPress plugin page for a release beyond 6.0.8.6 incorporating this fix, and upgrade immediately upon availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39949
GHSA-jxxc-m933-38gm