The RegistrationMagic plugin, prior to version 6.0.7.2, fails to enforce proper capability checks, enabling users with the Subscriber role or higher to create forms on the website. This flaw allows an attacker who can earn the Subscriber role, which is typically granted to many users, to add arbitrary form configurations without additional authorization. The primary impact is the potential for malicious forms to be introduced, which could be leveraged for phishing, spam, or other social engineering attacks, compromising the integrity of the site’s user interface and possibly exposing sensitive data to unintended audiences. The weakness is a missing authorization check, identified as CWE-862.

WordPress sites that utilize the RegistrationMagic plugin version earlier than 6.0.7.2 are affected. The vulnerability applies to all installations where the plugin is active, regardless of other configuration settings, as the capability check is performed at the plugin level and not mediated by other WordPress core roles or capabilities.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of under 1% shows a low likelihood of exploitation at the time of analysis. Because the flaw permits form creation by users who normally lack that permission, an attacker must first obtain a Subscriber role, which can be achieved through social engineering or exploiting other vulnerabilities. There is no indication of additional prerequisites such as elevated privileges or code execution, so the attack vector is likely local or through the normal user workflow of a WordPress site. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Nonetheless, the potential for abuse exists if the site’s demographics or exposure warrant such concern.