CVE-2026-9242 in RegistrationMagic Plugin
Summary
by MITRE • 06/27/2026
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability exists within the RegistrationMagic WordPress plugin affecting versions through 6.0.8.6 and represents a critical authentication bypass flaw that undermines the security model of the entire platform. The issue stems from improper input validation and insufficient verification of data authenticity within the PayPal IPN callback handler implementation. The plugin registers this callback as a nopriv AJAX action, eliminating any requirement for user authentication or nonce verification, creating an open attack vector that allows unauthenticated adversaries to manipulate the system's user authentication flow.
The technical flaw operates through a specific sequence of events that demonstrates poor security architecture and data handling practices. Attackers can exploit the vulnerability by submitting a forged PayPal IPN request containing malicious POST data that includes both payment_status and custom fields. The custom field specifically encodes a target user_id, which the vulnerable handler processes and writes directly to the payment log database row before any legitimate PayPal IPN validation occurs. This premature data insertion creates a persistent poisoned state in the database where attacker-controlled values are stored even when subsequent validation fails, effectively enabling the attack to succeed regardless of the validation outcome.
The operational impact of this vulnerability extends beyond simple privilege escalation to full administrative compromise of WordPress installations using the affected plugin. An attacker can authenticate as any user account, including administrators, by manipulating the payment log entries and subsequently visiting legitimate return URLs with valid security hashes. This allows for complete takeover of targeted accounts without requiring prior access credentials or knowledge of user passwords. The vulnerability effectively bypasses the standard WordPress authentication mechanisms and leverages the trust model inherent in the plugin's IPN handling to issue legitimate authentication cookies for compromised accounts.
This vulnerability aligns with CWE-287 which addresses improper authentication and CWE-20 which covers improper input validation. From an ATT&CK perspective, this represents a privilege escalation technique using credential manipulation and persistence mechanisms. The attack vector can be classified under T1566 - Phishing and T1543 - Create or Modify System Process, as it exploits the legitimate payment processing workflow to establish unauthorized access. The vulnerability also demonstrates weaknesses in the principle of least privilege and input sanitization practices that should be enforced before any data is committed to persistent storage.
Mitigation strategies must include immediate patching to version 6.0.8.7 or later where the vulnerability has been addressed through proper authentication requirements for the IPN handler and implementation of proper input validation before database updates occur. Administrators should also implement additional monitoring of suspicious payment log activities and verify all PayPal IPN requests through proper validation procedures. The plugin's configuration should be reviewed to ensure that no unnecessary AJAX actions are registered without appropriate authentication checks, and that database writes are always validated against expected data formats before persistence occurs. Network-level protections such as firewall rules restricting access to the vulnerable AJAX endpoints can provide additional defense-in-depth measures while the permanent fix is implemented.