RegistrationMagic WordPress Plugin Missing Authorization Vulnerability Allowing Unauthenticated Settings Modification

Vulnerability

A vulnerability exists in the RegistrationMagic plugin for WordPress, in versions through 6.0.7.4, due to missing nonce verification and capability checks in the rm_set_otp AJAX action handler. This flaw allows unauthenticated attackers to alter various plugin settings, such as reCAPTCHA keys, security options, and frontend menu titles.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of critical plugin settings, potentially allowing for further exploitation or disruption of the affected WordPress site.

Remediation

Users are advised to update the RegistrationMagic plugin to version 6.0.7.5 or a newer patched version.

Added: Jan 28, 2026, 8:21 AM
Updated: Jan 28, 2026, 8:21 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
0.6
exploitability
8.2
remediation
7.7
relevance
1.5
threat
3.2
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.