CVE-2026-9242
Received Received - Intake

Authentication Bypass in RegistrationMagic WordPress Plugin

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: Wordfence

Description
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data β€” including `payment_status` and the `custom` field encoding the target `user_id` β€” before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-9242
EUVD
EUVD-2026-39949

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
registrationmagic custom_registration_forms to 6.0.8.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the RegistrationMagic WordPress plugin, which handles custom registration forms, user registration, payment, and user login. The issue is an authentication bypass caused by insufficient verification of data authenticity in the PayPal IPN callback handler.

Specifically, the PayPal IPN callback handler is registered as a no-privilege AJAX action without requiring authentication or a nonce. It updates the payment log database with attacker-controlled POST data, including payment status and a custom field encoding the target user ID, before validating the PayPal IPN.

Because the database is updated before validation, an attacker can submit a forged IPN request that overwrites a payment log entry's user ID with that of any target user, including administrators. Then, by visiting the success return URL with a valid security hash, the plugin issues real WordPress authentication cookies for the targeted account, effectively allowing the attacker to authenticate as that user.

Impact Analysis

This vulnerability allows unauthenticated attackers to bypass authentication and gain access to any WordPress user account, including administrator accounts.

By exploiting this flaw, attackers can take over user accounts, potentially leading to unauthorized access to sensitive information, modification of website content, or control over the entire WordPress site.

Since the attacker can impersonate legitimate users, this can result in significant security breaches, data integrity issues, and loss of trust in the affected website.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart