WordPress Plugin Vulnerabilities

RegistrationMagic < 5.2.6.0 - Cross-Site Request Forgery

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5.9. This is due to missing or incorrect nonce validation on the rm_options_default_payment_method() function. This makes it possible for unauthenticated attackers to update the default payment method via a forged request granted they can trick an authenticated site user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
custom-registration-form-builder-with-submission-manager
Fixed in 5.2.6.0

References

CVE
CVE-2024-25935
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/26d70dee-c098-40f1-962a-db56791ae221

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
8a23784d-9f79-4e65-b0e1-4a0a1ad4e1e1

Timeline

Publicly Published
2024-02-20 (about 2 years ago)
Added
2024-04-22 (about 2 years ago)
Last Updated
2024-04-22 (about 2 years ago)

Other

Published
Title
Published
2025-12-19
Title
Amazon affiliate lite Plugin <= 1.0.0 - Cross-Site Request Forgery to Plugin Settings Update
Published
2026-02-06
Title
TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update
Published
2025-02-18
Title
Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable
Published
2022-11-11
Title
AdRotate Banner Manager < 5.9.1 - Password Change via CSRF
Published
2022-08-01
Title
MailerLite - Signup forms (official) < 1.5.8 - API Key Update via CSRF