cleantalk
Vulnerabilities and Security Researches

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login, CVE-2026-1054

CVE, Research URL

CVE-2026-1054

Home page URL

Security reports for RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Application

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Published on
Jan 28, 2026
Research Description
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
Affected versions
max 6.0.7.5.
Status
vulnerable
Previous vulnerability researches
s2member Secure File Browser (CVE-2013-6837) , Jun 07, 2024
s2member Secure File Browser (3dc58532344f8d166072616889dc5a9ad35c105e) , Jun 07, 2024
New vulnerability
WPGraphQL (CVE-2026-33290) , Apr 18, 2026
WPGraphQL (CVE-2026-27938) , Apr 18, 2026
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (CVE-2026-1054) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5710) , Apr 18, 2026
Drag and Drop Multiple File Upload – Contact Form 7 (CVE-2026-5718) , Apr 18, 2026