Description
Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through <= 6.0.7.1.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation / Account Takeover
Action: Immediate Patch
AI Analysis

Impact

RegistrationMagic for WordPress contains an incorrect privilege assignment flaw (CWE‑266). This vulnerability enables an attacker to elevate a user’s role beyond the intended permissions, resulting in account takeover. The flaw can be triggered by supplying crafted input through the plugin’s registration or submission handling, which leads to unauthorized escalation within the WordPress site.

Affected Systems

Metagauss’ RegistrationMagic plugin versions up to and including 6.0.7.1 are vulnerable. Sites running any of those releases on WordPress installations are affected; no additional information is available about newer versions.

Risk and Exploitability

The CVSS score of 8.1 rates this issue as high severity. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of active exploitation. Based on the description, it is inferred that the attack vector is remote, relying on manipulating plugin requests to trigger the privilege escalation. No local privilege or special conditions are required other than an active WordPress site using a vulnerable RegistrationMagic version.

Generated by OpenCVE AI on March 27, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RegistrationMagic plugin to version 6.0.8 or later.
  • If the plugin is not needed, deactivate or remove it from the WordPress installation.
  • After the update, verify that user roles and permissions are correctly applied.
  • Monitor site logs for any unauthorized role changes or privilege increases.
  • Keep WordPress core and all plugins up to date to prevent future vulnerabilities.

Generated by OpenCVE AI on March 27, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss registrationmagic
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss registrationmagic
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through <= 6.0.7.1.
Title WordPress RegistrationMagic plugin <= 6.0.7.1 - Account Takeover vulnerability
Weaknesses CWE-266
References

Subscriptions

Metagauss Registrationmagic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:43.550Z

Reserved: 2026-01-22T14:42:40.515Z

Link: CVE-2026-24373

cve-icon Vulnrichment

Updated: 2026-03-27T17:46:06.200Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:37.797

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:29Z

Weaknesses