cleantalk
Vulnerabilities and Security Researches

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login, CVE-2026-1054

CVE, Research URL

CVE-2026-1054

Home page URL

Security reports for RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Application

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Published on
Jan 28, 2026
Research Description
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
Affected versions
max 6.0.7.5.
Status
vulnerable
Previous vulnerability researches
Simple GDPR Cookie Compliance (CVE-2026-24604) , Jan 27, 2026
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2019-25143) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (7d5b4ba83a5c6004460bf267fe534a359e1416b0) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2023-4013) , Jun 07, 2024
GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) (CVE-2025-1621) , Mar 14, 2025
New vulnerability
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (CVE-2026-1054) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5710) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5718) , Apr 18, 2026
ELEX WordPress HelpDesk & Customer Ticketing System (CVE-2025-9343) , Apr 18, 2026
WP Customer Area (CVE-2026-3464) , Apr 18, 2026