RegistrationMagic <= 5.0.1.7 - Authentication Bypass

Wordfence Intelligence   >   Vulnerability Database   >   RegistrationMagic <= 5.0.1.7 - Authentication Bypass
9.8
Improper Authentication
CVE CVE-2021-4073
CVSS 9.8 (Critical)
Publicly Published December 8, 2021
Last Updated January 22, 2024
Researchers Marco Wotschka - Wordfence
Chloe Chamberland - Wordfence
AyeCode Ltd

Description

The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.

Learn more about Authentication Bypass vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for RegistrationMagic – User Registration Forms Plugin

RegistrationMagic – User Registration Forms Plugin

Software Type Plugin
Software Slug custom-registration-form-builder-with-submission-manager (view on wordpress.org)
Patched? Yes
Remediation Update to version 5.0.1.8, or a newer patched version
Affected Version
  • <= 5.0.1.7
Patched Version
  • 5.0.1.8

Recent vulnerabilities in RegistrationMagic – User Registration Forms Plugin

RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 - Missing Authorization
5.3
CVE-2026-49764
Jun 4, 2026
Researcher: James Paremain
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 - Missing Authorization
5.3
CVE-2026-32498
Mar 20, 2026
Researcher: Supakiad S. (m3ez)
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authentication Bypass
9.8
CVE-2026-24373
Mar 12, 2026
Researcher: 0xd4rk5id3
RegistrationMagic <= 6.0.7.6 - Missing Authorization
4.3
CVE-2026-32385
Feb 18, 2026
Researcher: Supakiad S. (m3ez)
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment
5.3
CVE-2025-14444
Feb 17, 2026
Researcher: Md. Moniruzzaman Prodhan (NomanProdhan)
RegistrationMagic < 6.0.7.2 - Missing Authorization
4.3
CVE-2026-0929
Feb 16, 2026
Researcher: Maktoum (bRpsd)
RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification
5.3
CVE-2026-1054
Jan 27, 2026
Researcher: Md. Moniruzzaman Prodhan (NomanProdhan)
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authenticated (Subscriber+) Information Exposure
5.3
CVE-2025-15520
Jan 23, 2026
Researcher: Maktoum (bRpsd)
RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order
9.8
CVE-2025-15403
Jan 16, 2026
Researcher: Osvaldo Noe Gonzalez Del Rio (Os)
RegistrationMagic <= 6.0.6.9 - Cross-Site Request Forgery
4.3
CVE-2026-24374
Jan 10, 2026
Researcher: 0xd4rk5id3
# Title CVE ID CVSS Researchers Date
1 RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 - Missing Authorization CVE-2026-49764 5.3 James Paremain June 4, 2026
2 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 - Missing Authorization CVE-2026-32498 5.3 Supakiad S. (m3ez) March 20, 2026
3 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authentication Bypass CVE-2026-24373 9.8 0xd4rk5id3 March 12, 2026
4 RegistrationMagic <= 6.0.7.6 - Missing Authorization CVE-2026-32385 4.3 Supakiad S. (m3ez) February 18, 2026
5 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment CVE-2025-14444 5.3 Md. Moniruzzaman Prodhan (NomanProdhan) February 17, 2026
6 RegistrationMagic < 6.0.7.2 - Missing Authorization CVE-2026-0929 4.3 Maktoum (bRpsd) February 16, 2026
7 RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification CVE-2026-1054 5.3 Md. Moniruzzaman Prodhan (NomanProdhan) January 27, 2026
8 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authenticated (Subscriber+) Information Exposure CVE-2025-15520 5.3 Maktoum (bRpsd) January 23, 2026
9 RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order CVE-2025-15403 9.8 Osvaldo Noe Gonzalez Del Rio (Os) January 16, 2026
10 RegistrationMagic <= 6.0.6.9 - Cross-Site Request Forgery CVE-2026-24374 4.3 0xd4rk5id3 January 10, 2026
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation