CVE-2026-32385

Vulnerability

Overview

CVE-2026-32385 is a missing authorization vulnerability in the WordPress plugin RegistrationMagic (custom-registration-form-builder-with-submission-manager), affecting versions from n/a through 6.0.7.6. The issue stems from incorrectly configured access control security levels, which can be exploited by attackers to exploit broken access control mechanisms [1].

Exploitation

The vulnerability is classified as a broken access control issue, meaning that certain functions lack proper authorization, authentication, or nonce token checks. This allows an unprivileged user to perform actions that should require higher privileges. The attack does not require authentication for the vulnerable endpoint, making it accessible to any visitor [1].

Impact

Successful exploitation could allow an attacker to gain unauthorized access to administrative functions or sensitive data, depending on the specific missing check. The CVSS v3 score is 5.4 (Medium), indicating a moderate severity. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 6.0.7.7 which addresses the issue. Users are strongly advised to update immediately. For Patchstack users, auto-updates can be enabled for vulnerable plugins can be enabled. If unable to update, contacting the hosting provider or web developer for assistance is recommended [1].