Impact
The RegistrationMagic plugin for WordPress versions up to 6.0.8.6 contains a broken authentication flaw classified as CWE‑288. The vulnerability allows an unauthenticated user to obtain privileged access to the plugin’s registration management interface. Without valid credentials, an attacker could create, modify, or delete registrations, potentially exposing sensitive data and enabling further compromise of the WordPress site.
Affected Systems
The affected product is the Metagauss RegistrationMagic plugin for WordPress, specifically all releases through version 6.0.8.6. Version 6.0.8.7 and later contain the fix.
Risk and Exploitability
The flaw has a CVSS score of 9.8, indicating critical severity. The EPSS score is reported as < 1 %, implying a low probability of exploitation at the time of analysis. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is sending unauthenticated requests to the registration endpoint of the plugin, as the flaw bypasses authentication checks entirely. Because no session or credential requirements exist, the attack surface is the public web interface.
OpenCVE Enrichment