Volerion logoVolerion
Volerion logoVolerion

RegistrationMagic WordPress Plugin Missing Capability Checks Vulnerability

Vulnerability

A vulnerability exists in the RegistrationMagic WordPress plugin in versions prior to 6.0.7.2, where proper capability checks are not enforced. This flaw allows users with subscriber roles and above to create forms on the site. The issue arises from the plugin's failure to validate user permissions adequately, enabling unauthorized form creation.

Impact

Exploitation of this vulnerability allows for unauthorized users to create forms, potentially leading to misuse of the site's registration process or collection of user data through these forms.

Reproduction

To reproduce this vulnerability, send a POST request to '/wp-admin/admin-ajax.php' with the action 'rm_sort_form_fields', the rm_slug 'rm_form_quick_add', and the form_name set to the desired name. Include the form_type, user_auto_approval, and data parameters as well. This will create a registration form that appears in the 'All Forms' section of the RegistrationMagic plugin.

Remediation

Users are advised to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or later.

Added: Feb 16, 2026, 7:20 AM
Updated: Feb 16, 2026, 7:20 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
0.6
exploitability
6.2
remediation
7.7
relevance
2.9
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.