What are the vulnerabilities in RegistrationMagic?

The RegistrationMagic plugin has two recently disclosed vulnerabilities: CVE-2025-15403, an unauthenticated privilege escalation, and CVE-2026-32498, a missing authorization vulnerability. These flaws can allow attackers to gain administrative control or perform unauthorized actions.

How do I fix the RegistrationMagic vulnerabilities?

To fix these vulnerabilities, update the RegistrationMagic plugin to the latest version (6.0.7.7 or higher). You can do this through the WordPress admin panel or by using the WP-CLI command: `wp plugin update custom-registration-form-builder-with-submission-manager`.

What is the risk if I don't update RegistrationMagic?

If you don't update RegistrationMagic, your WordPress site is at risk of privilege escalation and unauthorized access. Attackers could potentially gain administrative control of your site or perform actions without proper authorization, leading to data breaches or other security incidents.

NextGuard

Back to blog

CVSS 9.8CVE-2025-15403CVE-2026-32498

RegistrationMagic: Unauth. Privilege Escalation & Auth. Bypass

Q: What is the RegistrationMagic plugin?

RegistrationMagic is a WordPress plugin designed to simplify the creation of custom registration forms, manage user registrations, handle payments, and facilitate user logins. It provides a range of features for customizing the registration process and managing user data.

Critical: RegistrationMagic plugin suffers from privilege escalation (CVE-2025-15403) and authorization bypass (CVE-2026-32498). Update now!

Published on April 3, 2026

Multiple vulnerabilities have been discovered in the RegistrationMagic plugin for WordPress, including privilege escalation and unauthorized access. These flaws could allow attackers to gain administrative control or perform unauthorized actions on affected sites. A patch is now available; immediate updating is highly recommended.

CVE-2025-15403 has a critical CVSS score of 9.8, while CVE-2026-32498 is rated as medium severity.

What is Custom Registration Form Builder With Submission Manager?

The Custom Registration Form Builder With Submission Manager, also known as RegistrationMagic, is a WordPress plugin designed to simplify the creation of custom registration forms, manage user registrations, handle payments, and facilitate user logins. It provides a range of features for customizing the registration process and managing user data within a WordPress environment. To further explore its functionalities, you can search all custom-registration-form-builder-with-submission-manager CVEs. RegistrationMagic aims to provide a comprehensive solution for managing user registration and related tasks within WordPress. It offers tools for designing custom forms, collecting user information, processing payments, and controlling user access. This plugin is widely used by website owners who need to create tailored registration experiences for their users.

CVE-2025-15403: Unauthenticated Privilege Escalation

CVSS9.8

Affected versionsRegistrationMagic versions up to and including 6.0.7.1 are vulnerable. Exploitation requires at least a subscriber user account.

Critical severity, requiring no user interaction for exploitation.

EPSS score of 0.144 indicates a relatively low probability of exploitation.

An unauthenticated privilege escalation vulnerability exists due to the 'add_menu' function being accessible via the 'rm_user_exists' AJAX action. By injecting an empty slug into the order parameter, attackers can manipulate the plugin's menu generation logic, granting 'manage_options' capability to a target role.

How to fix CVE-2025-15403 in RegistrationMagic

Patch immediately

1.Update the RegistrationMagic plugin to version 6.0.7.2 or higher.

Update RegistrationMagic plugin

wp plugin update custom-registration-form-builder-with-submission-manager

Verify with:

verify

wp plugin list

Workaround: There is no known workaround besides updating the plugin.

NextGuard automatically flags CVE-2025-15403 if RegistrationMagic appears in any of your monitored projects — no manual lookup required.

CVE-2026-32498: Missing Authorization Vulnerability

CVSS5.3

Affected versionsRegistrationMagic versions up to and including 6.0.7.6 are affected.

Medium severity, requiring no privileges for exploitation.

EPSS score of 0.042 suggests a low probability of exploitation.

A missing authorization check on a function allows unauthenticated attackers to perform unauthorized actions. This vulnerability stems from the lack of proper capability verification within the plugin's code.

How to fix CVE-2026-32498 in RegistrationMagic

Patch within 24h

1.Update the RegistrationMagic plugin to version 6.0.7.7 or higher.

Update RegistrationMagic plugin

wp plugin update custom-registration-form-builder-with-submission-manager

Verify with:

verify

wp plugin list

Workaround: There is no known workaround besides updating the plugin.

NextGuard automatically flags CVE-2026-32498 if RegistrationMagic appears in any of your monitored projects — no manual lookup required.

Stay ahead of WordPress vulnerabilities

Proactively defend your WordPress sites by using vulnerability monitoring. Use monitor your wordpress dependencies to receive alerts about new threats.

Compare Plans

Frequently asked questions

Ensure your WordPress sites are secure by promptly applying the necessary updates. Stay informed about the latest threats and vulnerabilities by using a vulnerability monitoring platform and see all wordpress vulnerabilities.