WordPress Plugin Vulnerabilities

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 6.0.7.0 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment.

Affects Plugins

Plugin icon
custom-registration-form-builder-with-submission-manager
Fixed in 6.0.7.0

References

CVE
CVE-2025-14444
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98a-c465df3e2bed

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Md. Moniruzzaman Prodhan (NomanProdhan)
Verified
No
WPVDB ID
b73d8f58-1962-4117-b8e7-40aac0026ca9

Timeline

Publicly Published
2026-02-17 (about 3 months ago)
Added
2026-02-17 (about 3 months ago)
Last Updated
2026-02-18 (about 3 months ago)

Other

Published
Title
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Content Injection
Published
2023-10-11
Title
Responsive Tabs < 4.0.6 - Authenticated (Contributor+) Content Injection
Published
2021-01-12
Title
WP Quick FrontEnd Editor <= 5.5 - Authenticated Content Injection
Published
2024-06-06
Title
PPOM for WooCommerce < 32.0.21 - Unauthenticated Content Injection Vulnerability
Published
2025-01-03
Title
Poll Maker < 5.5.5 - Unauthenticated HTML Injection