Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-0929 affects the WordPress plugin RegistrationMagic versions prior to 6.0.7.2. The vulnerability is caused by improper capability checks, which means that users with subscriber-level permissions or higher can create registration forms on the site without proper authorization.'}, {'type': 'paragraph', 'content': 'An attacker with subscriber access can send a specially crafted POST request to the endpoint `/wp-admin/admin-ajax.php` with specific parameters, resulting in the creation of a new registration form visible in the plugin\'s "All Forms" section.'}, {'type': 'paragraph', 'content': 'This issue is classified as a Broken Access Control vulnerability (OWASP A5) and corresponds to CWE-862 (Missing Authorization).'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows users with low-level permissions (subscribers) to create registration forms on the site without proper authorization.

This could lead to unauthorized form creation, which might be used to collect data, manipulate site behavior, or potentially facilitate further attacks depending on how the forms are used.

Because it is a Broken Access Control issue, it undermines the security model of the site by allowing actions that should be restricted to higher privilege users.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the WordPress admin AJAX endpoint that attempt to create new registration forms without proper authorization.'}, {'type': 'paragraph', 'content': 'Specifically, look for POST requests to `/wp-admin/admin-ajax.php` with parameters such as `action=rm_sort_form_fields`, `rm_slug=rm_form_quick_add`, `form_name`, `form_type`, `user_auto_approval`, and `data`.'}, {'type': 'paragraph', 'content': 'A network or web server log inspection can help identify such requests.'}, {'type': 'paragraph', 'content': 'For example, using command-line tools like `grep` on web server logs to find these requests:'}, {'type': 'list_item', 'content': "grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=rm_sort_form_fields'"}, {'type': 'list_item', 'content': "grep 'rm_slug=rm_form_quick_add' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring WordPress user activity logs or plugin-specific logs (if available) for unexpected form creation events can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate step to mitigate this vulnerability is to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': "Until the update can be applied, restrict subscriber-level users from accessing or interacting with the plugin's form creation features."}, {'type': 'paragraph', 'content': 'Additionally, consider implementing web application firewall (WAF) rules to block suspicious POST requests to `/wp-admin/admin-ajax.php` with the parameters associated with this vulnerability.'}] [1]

Useful 0 Not Useful 0