Skip to main content

RegistrationMagic WordPress Plugin CSRF to Privilege Escalation Granting Admin Access (CVE-2026-12158)

Scope: RegistrationMagic Plugin Versions up to and Including 6.0.9.1

Severity: High

A missing nonce validation flaw in the RegistrationMagic WordPress plugin's process_request function allows an unauthenticated attacker to craft a forged Chronos automation task and deliver it via a malicious link; if a site administrator clicks the link, the attacker can escalate any registered form submitter's role to Administrator, resulting in full site compromise, data exfiltration, malware distribution, and persistent backdoor access. While the attack requires an administrator to click the forged link (making it a social engineering step), the absence of any server-side request validation means the payload delivers silently with no confirmation dialog or other warning to the administrator. Organizations must update to RegistrationMagic version 6.0.9.2 immediately, audit administrator accounts and all Chronos automation tasks for unauthorized entries, rotate all admin credentials, and scan for indicators of compromise.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.