CVE-2026-1054
Missing Authorization in RegistrationMagic Plugin Allows Settings Modification
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| registrationmagic | registrationmagic | to 6.0.7.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the RegistrationMagic WordPress plugin (up to version 6.0.7.4) is due to missing authorization checks, specifically missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This allows unauthenticated attackers to modify arbitrary plugin settings such as reCAPTCHA keys, security settings, and frontend menu titles.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to change important plugin settings, potentially weakening security measures like reCAPTCHA, altering security configurations, or modifying frontend menu titles, which could lead to unauthorized access or manipulation of the website's behavior.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the RegistrationMagic plugin to a version later than 6.0.7.4 where the issue is fixed. Additionally, review and restrict access to the rm_set_otp AJAX action handler by implementing proper nonce verification and capability checks if possible. Monitor plugin settings for unauthorized changes and consider disabling the plugin temporarily if an update is not immediately available.