CVE-2026-1054
📋 TL;DR
The RegistrationMagic WordPress plugin up to version 6.0.7.4 has a missing authorization vulnerability that allows unauthenticated attackers to modify plugin settings via AJAX requests. This affects all WordPress sites using vulnerable versions of the RegistrationMagic plugin. Attackers can change security configurations like reCAPTCHA keys and frontend menu titles without authentication.
💻 Affected Systems
- RegistrationMagic WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers disable security features like reCAPTCHA, modify frontend content to deceive users, and potentially chain with other vulnerabilities to gain administrative access or compromise the entire WordPress site.
Likely Case
Attackers modify plugin settings to disable security controls, change frontend text to mislead users, or disrupt plugin functionality for legitimate users.
If Mitigated
With proper network segmentation and web application firewalls, exploitation attempts are blocked, limiting impact to configuration changes that can be reverted.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to wp-admin/admin-ajax.php with specific parameters targeting the rm_set_otp action.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.7.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3444777/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find RegistrationMagic and click 'Update Now'. 4. Verify version is 6.0.7.5 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the RegistrationMagic plugin until patched
wp plugin deactivate custom-registration-form-builder-with-submission-manager
Web Application Firewall Rule
allBlock AJAX requests to rm_set_otp action
Add WAF rule: Block POST requests to /wp-admin/admin-ajax.php containing 'action=rm_set_otp'
🧯 If You Can't Patch
- Disable the RegistrationMagic plugin completely
- Implement strict network access controls to limit access to wp-admin/admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → RegistrationMagic version. If version is 6.0.7.4 or lower, you are vulnerable.Check Version:
wp plugin get custom-registration-form-builder-with-submission-manager --field=versionVerify Fix Applied:
After updating, confirm version is 6.0.7.5 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=rm_set_otp' parameter from unauthenticated IPs
- Unusual plugin setting changes in WordPress logs
Network Indicators:
- HTTP POST requests to admin-ajax.php with rm_set_otp action from external IPs
SIEM Query:
source="web_server" AND url="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="rm_set_otp" AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209
- https://plugins.trac.wordpress.org/changeset/3444777/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve
