Stored Cross-Site Scripting Vulnerability in RegistrationMagic Plugin for WordPress
CVE-2025-13610

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Registrationmagic – Custom Registration Forms, User Registration, Payment, And User Login
Vendor: CVE Published:; 15 December 2025

What is CVE-2025-13610?

The RegistrationMagic plugin for WordPress is exposed to Stored Cross-Site Scripting vulnerabilities due to inadequate input sanitization and output escaping. This flaw allows authenticated attackers with contributor level access and higher to exploit the 'RM_Forms' shortcode. By crafting malicious scripts in the 'theme' attribute, they can inject harmful scripts into pages that execute when accessed by users. All versions before 6.0.6.7 are affected, raising significant security concerns for sites using this plugin.

Affected Version(s)

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login * <= 6.0.6.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3414853/cust...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2025
Vulnerability Reserved
Nov 24, 2025

Credit

Muhammad Yudha - DJ

JSON