CVE Catalog

CVE-2026-12158

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

The RegistrationMagic – User Registration Forms Plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 6.0.9.1. Missing nonce validation in the process_request function allows unauthenticated attackers to escalate privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task executed via WordPress cron, provided they trick a site administrator into clicking a link.

Risk Assessment

An attacker can gain administrative control over the WordPress site, leading to full compromise including data theft, content manipulation, and malware installation.

Recommendation

Immediately update the RegistrationMagic plugin to the latest available version that fixes the missing nonce validation. Consider temporarily disabling the plugin until the update is applied.

Original NVD description (English source)

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS