RegistrationMagic – Custom Registration Forms, User Registration, P…

RegistrationMagic – Custom Registration Forms, User Registration, P…

by | Mar 19, 2026 | Plugins

Attack Vectors

CVE-2025-15520 affects the WordPress plugin RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login (slug: custom-registration-form-builder-with-submission-manager) in versions up to and including 6.0.7.1. The issue is rated Medium severity (CVSS 5.3).

An attacker must be able to log in to your WordPress site with at least Subscriber-level access (or higher). This matters for organizations that allow public account creation (e.g., membership sites, gated content, partner portals, event registrations) or have many low-privilege accounts that are difficult to monitor.

Security Weakness

The vulnerability is categorized as Sensitive Information Exposure. In practical terms, it may allow an authenticated user to extract sensitive user data and/or configuration data from the RegistrationMagic plugin environment beyond what their role should normally be able to access.

Even when no data is modified, exposure issues can still create material risk: sensitive details can be used to support targeted phishing, account takeovers, or further exploitation of other systems and plugins.

Technical or Business Impacts

Potential impacts depend on what data is exposed in your specific configuration, but may include privacy and compliance concerns (e.g., improper access to user-related information), increased fraud and phishing risk, and higher likelihood of secondary compromise as attackers pivot using any exposed details.

For marketing directors and business owners, the most common downstream effects are brand damage, customer support burden, and reporting obligations. If your site is used for lead capture, paid registrations, or member login, you should treat any information-exposure vulnerability as a risk to customer trust and conversion performance.

Remediation: Update RegistrationMagic to 6.0.7.2 or newer (patched). After updating, consider reviewing who has Subscriber access, reducing unnecessary accounts, and monitoring for unusual account activity around registration and login workflows.

Similar Attacks

Information exposure and data-access failures have driven major real-world incidents, including:

Equifax data breach settlement (FTC)
SEC action related to Marriott’s disclosure controls following a breach (SEC Press Release)
LastPass notice of security incident (LastPass)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers