CVE-2026-0929
Improper Capability Checks in RegistrationMagic Plugin Allow Form Creation
Publication date: 2026-02-16
Last updated on: 2026-02-17
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| registrationmagic | registrationmagic | to 6.0.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-0929 affects the WordPress plugin RegistrationMagic versions prior to 6.0.7.2. The vulnerability is caused by improper capability checks, which means that users with subscriber-level permissions or higher can create registration forms on the site without proper authorization.'}, {'type': 'paragraph', 'content': 'An attacker with subscriber access can send a specially crafted POST request to the endpoint `/wp-admin/admin-ajax.php` with specific parameters, resulting in the creation of a new registration form visible in the plugin\'s "All Forms" section.'}, {'type': 'paragraph', 'content': 'This issue is classified as a Broken Access Control vulnerability (OWASP A5) and corresponds to CWE-862 (Missing Authorization).'}] [1]
How can this vulnerability impact me? :
This vulnerability allows users with low-level permissions (subscribers) to create registration forms on the site without proper authorization.
This could lead to unauthorized form creation, which might be used to collect data, manipulate site behavior, or potentially facilitate further attacks depending on how the forms are used.
Because it is a Broken Access Control issue, it undermines the security model of the site by allowing actions that should be restricted to higher privilege users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the WordPress admin AJAX endpoint that attempt to create new registration forms without proper authorization.'}, {'type': 'paragraph', 'content': 'Specifically, look for POST requests to `/wp-admin/admin-ajax.php` with parameters such as `action=rm_sort_form_fields`, `rm_slug=rm_form_quick_add`, `form_name`, `form_type`, `user_auto_approval`, and `data`.'}, {'type': 'paragraph', 'content': 'A network or web server log inspection can help identify such requests.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like `grep` on web server logs to find these requests:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=rm_sort_form_fields'"}, {'type': 'list_item', 'content': "grep 'rm_slug=rm_form_quick_add' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WordPress user activity logs or plugin-specific logs (if available) for unexpected form creation events can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate step to mitigate this vulnerability is to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': "Until the update can be applied, restrict subscriber-level users from accessing or interacting with the plugin's form creation features."}, {'type': 'paragraph', 'content': 'Additionally, consider implementing web application firewall (WAF) rules to block suspicious POST requests to `/wp-admin/admin-ajax.php` with the parameters associated with this vulnerability.'}] [1]