CVE-2026-0929
Description
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RegistrationMagic WordPress plugin before 6.0.7.2 allows subscribers and higher to create forms due to missing capability checks, leading to unauthorized form creation.
Vulnerability
Overview The RegistrationMagic WordPress plugin, versions prior to 6.0.7.2, fails to properly enforce capability checks when creating forms. This missing authorization (CWE-862) allows any authenticated user with at least the Subscriber role to create new forms on the site [1].
Exploitation
An attacker who has obtained a subscriber-level account (or higher) can exploit this flaw by navigating to the form creation functionality. No additional privileges are required beyond a standard subscriber account. The plugin does not verify that the user has the necessary permissions (e.g., edit_posts or manage_options) before allowing form creation [1].
Impact
By creating arbitrary forms, an attacker could craft forms to collect sensitive information from other users, such as login credentials or personal data, potentially leading to further compromise. The ability to create forms without authorization undermines the site's access control model and can be used for phishing or data exfiltration attacks.
Mitigation
The vulnerability has been fixed in version 6.0.7.2 of the RegistrationMagic plugin. Users are strongly advised to update to this version or later to prevent unauthorized form creation [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <6.0.7.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.