Skip to main content

RegistrationMagic EUVD-2026-36888

| CVE-2026-49764 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-2hf6-3gj9-p8hw
Information Disclosure Registrationmagic
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

WordPress plugin endpoint is network-reachable (AV:N), CWE-288 implies low-complexity bypass (AC:L), no auth needed (PR:N/UI:N), and broken auth typically yields full data and account control (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:31 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.

AnalysisAI

Authentication bypass in the RegistrationMagic WordPress plugin (versions up to and including 6.0.8.6) allows unauthenticated remote attackers to circumvent intended authentication controls and gain access to protected resources. The flaw, tracked as CWE-288 and reported by Patchstack, carries a critical 9.8 CVSS score because exploitation requires no privileges, no user interaction, and is reachable over the network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress sites running RegistrationMagic ≤ 6.0.8.6
Delivery
Send unauthenticated HTTP request to vulnerable plugin endpoint
Exploit
Bypass broken authentication check (CWE-288)
Execution
Invoke protected plugin function as privileged user
Persist
Exfiltrate user data or escalate to account takeover
Impact
Pivot to full WordPress site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Required prerequisites: the target WordPress site must have the RegistrationMagic plugin (slug 'custom-registration-form-builder-with-submission-manager') installed and active at version 6.0.8.6 or earlier, and the plugin's vulnerable endpoint must be reachable over HTTP/HTTPS - which is the default for any WordPress front end. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H paints a worst-case picture: internet-reachable, no authentication, no user interaction, and full confidentiality, integrity, and availability impact - a textbook critical web vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates WordPress sites with the RegistrationMagic plugin installed (a fingerprint Patchstack publishes openly), then sends an unauthenticated HTTP request to the vulnerable plugin endpoint - likely an admin-ajax.php action or REST route - that fails to verify identity or capability. The attacker thereby obtains access to a protected function (for example, account takeover, privileged data retrieval, or submission tampering) and pivots to broader compromise of the WordPress instance.
Remediation No vendor-released patch identified at time of analysis in the provided data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-8-6-broken-authentication-vulnerability) and the WordPress plugin repository for any release above 6.0.8.6 and upgrade immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress instances to identify those running RegistrationMagic version 6.0.8.6 or earlier; disable the plugin immediately or restrict access to registration endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36888 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy