CVE-2026-49764

Vulnerability

In RegistrationMagic versions up to 6.0.8.6, the plugin suffers from an unauthenticated broken authentication vulnerability. The flaw resides in an endpoint that can be abused by an attacker to perform actions normally restricted to higher privileged users, without any authentication required. The affected versions are all prior to 6.0.8.7. [1]

Exploitation

No authentication is needed to exploit this vulnerability. An attacker can send specially crafted requests to the vulnerable endpoint, triggering the broken authentication. The vulnerability is considered highly dangerous and expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size. [1] The exact sequence of steps is not publicly detailed, but the endpoint allows unauthorized actions.

Impact

Successful exploitation could allow a malicious actor to gain administrator-level access to the WordPress website. This results in full compromise of the site, including the ability to disclose, modify, or delete data, and potentially launch further attacks. [1]

Mitigation

The vulnerability is fixed in version 6.0.8.7. Users should update immediately to that release. For those unable to update, Patchstack has issued a mitigation rule that blocks attacks until the patch is applied. Note that the mitigation may also block legitimate PayPal IPN callbacks on sites using the legacy PayPal IPN payment flow due to the broad nature of the block. [1]