Cross-Site Request Forgery in RegistrationMagic User Registration Forms Plugin for WordPress
CVE-2026-12158
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12158?
The RegistrationMagic β User Registration Forms Plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the process_request function. This vulnerability allows unauthenticated attackers to escalate the privileges of an arbitrary form submitter to an administrator role by tricking a site administrator into executing a malicious action, such as clicking a link associated with a crafted Chronos automation task launched via WordPress cron jobs.
Affected Version(s)
RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login 0 <= 6.0.9.1