Registrationmagic
Monthly
Authentication bypass in the RegistrationMagic WordPress plugin (versions up to and including 6.0.8.6) allows unauthenticated remote attackers to circumvent intended authentication controls and gain access to protected resources. The flaw, tracked as CWE-288 and reported by Patchstack, carries a critical 9.8 CVSS score because exploitation requires no privileges, no user interaction, and is reachable over the network. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
A missing authorization vulnerability exists in Metagauss RegistrationMagic (custom-registration-form-builder-with-submission-manager) plugin versions up to and including 6.0.7.6, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control. An attacker can leverage this vulnerability to perform unauthorized actions within the application by circumventing intended authorization checks. The vulnerability is classified as CWE-862 (Missing Authorization) and was reported by Patchstack; while CVSS and EPSS scores are not publicly available, the authentication bypass nature of this flaw indicates significant exploitability potential.
RegistrationMagic, a WordPress plugin for custom registration forms, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation through improper access controls. Versions up to and including 6.0.7.1 are affected, enabling attackers to escalate privileges and potentially take over user accounts. While CVSS and EPSS scores are not publicly available, the vulnerability has been documented by Patchstack and assigned ENISA tracking ID EUVD-2026-15569, indicating active vulnerability research and disclosure.
RegistrationMagic through version 6.0.7.6 contains a missing authorization vulnerability that allows authenticated users to modify data and cause service disruptions through improperly configured access controls. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions on form submissions and registration data. No patch is currently available for this vulnerability.
The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Authentication bypass in the RegistrationMagic WordPress plugin (versions up to and including 6.0.8.6) allows unauthenticated remote attackers to circumvent intended authentication controls and gain access to protected resources. The flaw, tracked as CWE-288 and reported by Patchstack, carries a critical 9.8 CVSS score because exploitation requires no privileges, no user interaction, and is reachable over the network. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
A missing authorization vulnerability exists in Metagauss RegistrationMagic (custom-registration-form-builder-with-submission-manager) plugin versions up to and including 6.0.7.6, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control. An attacker can leverage this vulnerability to perform unauthorized actions within the application by circumventing intended authorization checks. The vulnerability is classified as CWE-862 (Missing Authorization) and was reported by Patchstack; while CVSS and EPSS scores are not publicly available, the authentication bypass nature of this flaw indicates significant exploitability potential.
RegistrationMagic, a WordPress plugin for custom registration forms, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation through improper access controls. Versions up to and including 6.0.7.1 are affected, enabling attackers to escalate privileges and potentially take over user accounts. While CVSS and EPSS scores are not publicly available, the vulnerability has been documented by Patchstack and assigned ENISA tracking ID EUVD-2026-15569, indicating active vulnerability research and disclosure.
RegistrationMagic through version 6.0.7.6 contains a missing authorization vulnerability that allows authenticated users to modify data and cause service disruptions through improperly configured access controls. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions on form submissions and registration data. No patch is currently available for this vulnerability.
The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.