CVE-2026-12158
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The RegistrationMagic – User Registration Forms Plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 6.0.9.1. Missing nonce validation in the process_request function allows unauthenticated attackers to escalate privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task executed via WordPress cron, provided they trick a site administrator into clicking a link.
Risk Assessment
An attacker can gain administrative control over the WordPress site, leading to full compromise including data theft, content manipulation, and malware installation.
Recommendation
Immediately update the RegistrationMagic plugin to the latest available version that fixes the missing nonce validation. Consider temporarily disabling the plugin until the update is applied.
Original NVD description (English source)
The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

