Description
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.
Published: 2026-06-27
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the RegistrationMagic WordPress plugin, allowing an attacker to bypass authentication by forging a PayPal IPN request. The plugin registers a nopriv AJAX callback that processes payment data before verifying its authenticity, enabling attackers to inject arbitrary values, including payment status and a custom field containing a target user_id. By controlling these POST parameters, an unauthenticated attacker can overwrite a payment log entry linked to a privileged account and force the plugin to issue legitimate WordPress authentication cookies for that account. This circumvents normal login checks and grants the attacker the same privileges as the targeted user. The flaw involves the CWE-345 weakness of insufficient authentication of transmitted data.

Affected Systems

The flaw affects all users of the RegistrationMagic plugin for WordPress up to and including version 6.0.8.6. The plugin provides custom registration forms, user registration, payment handling, and user login functionality. The vulnerability is specific to the PayPal IPN callback in these versions; newer releases beyond 6.0.8.6 are not covered by this advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Because the vulnerability requires the attacker to know or guess a valid PayPal IPN signature to pass validation, the exploitability is limited; however, the lack of prior authentication or nonce allows the attacker to conduct the initial request without credentials. The EPSS score is unavailable, making it unclear how frequently this types of attacks may be attempted. Since the flaw is not listed in the CISA KEV catalog, it may not yet have known exploits in the wild. Nevertheless, once the initial forged request succeeds, the attacker obtains full control of the target account immediately. The attack vector likely involves HTTP POST requests to the plugin's AJAX endpoint, potentially spoofing PayPal’s IPN payload and secret, and then triggering the return URL to generate authentication cookies.

Generated by OpenCVE AI on June 27, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update RegistrationMagic to a version newer than 6.0.8.6
  • If an update is not feasible, temporarily disable or restrict the nopriv AJAX PayPal IPN callback until IPN verification is enforced before modifying payment log entries
  • Ensure that any IPN payload is validated and authenticated before any database changes are made and enforce nonce or authentication checks for that action

Generated by OpenCVE AI on June 27, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/includes/class_rm_utilities.php#L1384 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/public/class_rm_public.php#L728 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/services/class_rm_paypal_service.php#L110 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/services/class_rm_paypal_service.php#L155 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/includes/class_rm_utilities.php#L1384 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/public/class_rm_public.php#L728 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/services/class_rm_paypal_service.php#L110 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/services/class_rm_paypal_service.php#L155 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/includes/class_rm_utilities.php#L1384 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php#L728 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L110 cve-icon
https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L155 cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3532900%40custom-registration-form-builder-with-submission-manager&new=3532900%40custom-registration-form-builder-with-submission-manager&sfp_email=&sfph_mail= cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/1dcf68fd-e9d3-4a46-8bd4-15c2598b91fe?source=cve cve-icon
History

Sat, 27 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.
Title RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forged PayPal IPN Request
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-27T06:50:56.027Z

Reserved: 2026-05-21T19:02:37.567Z

Link: CVE-2026-9242

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T08:30:07Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity