Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Unauthenticated remote CSRF (PR:N, AV:N, AC:L) that requires an admin to click a link (UI:R); successful attack yields full admin control, so C/I/A all High.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The RegistrationMagic - User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Articles & Coverage 1
AnalysisAI
Privilege escalation via Cross-Site Request Forgery in the RegistrationMagic WordPress plugin (all versions through 6.0.9.1) lets a remote attacker promote an arbitrary form submitter to administrator by forging a request to the process_request function, which lacks proper nonce validation. The attack plants a malicious Chronos automation task that later runs through WordPress cron, and it succeeds when a logged-in administrator is tricked into clicking an attacker-supplied link. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the RegistrationMagic plugin (≤6.0.9.1) installed with the Chronos automation subsystem reachable, and it depends on tricking an authenticated site administrator into performing an action such as clicking an attacker-controlled link while their admin session is active - that admin interaction is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS is 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), but this vector conflicts with the description in two ways worth flagging: the description says the attacker is unauthenticated (implying PR:N, not PR:L) and that exploitation requires tricking an administrator into clicking a link (implying UI:R, not UI:N) - verify with Wordfence, as CSRF is conventionally scored PR:N/UI:R. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a web page or email link containing a forged request to the RegistrationMagic process_request endpoint and lures a logged-in site administrator into visiting it; the browser submits the request with the admin's cookies, creating a malicious Chronos task. When WordPress cron next runs, the task elevates an attacker-controlled form submitter to administrator, giving the attacker full control of the site. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the WordPress.org trac changeset (revision 3579552) shows the nonce-validation fix, so update the RegistrationMagic plugin to the latest available version above 6.0.9.1 via the WordPress admin plugin updater and confirm the installed version afterward. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for RegistrationMagic plugin presence; disable if not operationally essential. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40924
GHSA-7p35-52fv-8jr6