{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14444", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-10T13:27:01.938Z", "datePublished": "2026-02-18T10:20:47.975Z", "dateUpdated": "2026-04-08T16:33:38.934Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:38.934Z"}, "affected": [{"vendor": "metagauss", "product": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.6.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment."}], "title": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98a-c465df3e2bed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L324"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/services/class_rm_paypal_service.php#L324"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/includes/class_registration_magic.php#L232"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426151"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-345 Insufficient Verification of Data Authenticity", "cweId": "CWE-345", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-01-23T06:45:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T21:54:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:26:18.682300Z", "id": "CVE-2025-14444", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:50:42.109Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:26:18.682300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:26:19.889Z"}}], "cna": {"title": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metagauss", "product": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.0.6.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T06:45:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T21:54:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98a-c465df3e2bed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L324"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/services/class_rm_paypal_service.php#L324"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/includes/class_registration_magic.php#L232"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426151"}], "descriptions": [{"lang": "en", "value": "The RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:38.934Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14444", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:38.934Z", "dateReserved": "2025-12-10T13:27:01.938Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T10:20:47.975Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment."}, {"lang": "es", "value": "El plugin RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login para WordPress es vulnerable a la elusi\u00f3n de pagos debido a una verificaci\u00f3n insuficiente de la autenticidad de los datos en la funci\u00f3n 'process_paypal_sdk_payment' en todas las versiones hasta la 6.0.6.9, inclusive. Esto se debe a que el plugin conf\u00eda en los valores proporcionados por el cliente para la verificaci\u00f3n de pagos sin validar que el pago realmente se realiz\u00f3 a trav\u00e9s de PayPal. Esto hace posible que atacantes no autenticados eludan el registro de pago manipulando el estado del pago y activando su cuenta sin completar un pago real de PayPal."}], "id": "CVE-2025-14444", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T11:16:30.453", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/includes/class_registration_magic.php#L232"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/services/class_rm_paypal_service.php#L324"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L324"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3426151"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98a-c465df3e2bed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.0.6.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login", "source": "cna", "vendor": "metagauss"}, "product": "registrationmagic_\u2013_custom_registration_forms,_user_registration,_payment,_and_user_login", "vendor": "metagauss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T21:02:03.175133+00:00", "value": {"mitigation_remediation": ["Upgrade the RegistrationMagic plugin to a version newer than 6.0.6.9 that implements proper server\u2011side verification of PayPal payment status.", "Configure the web application to require confirmation from the PayPal API before accepting any payment status; reject requests that lack a verified PayPal transaction.", "If an immediate upgrade is not possible, add a layer of authentication or a unique validation token to the payment processing endpoint, and monitor activity logs for anomalous registration attempts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Payment Bypass"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login plugin in versions 6.0.6.7 through 6.0.6.9 are affected. The plugin is distributed by metagauss and is widely deployed for custom registration and payment handling in WordPress environments. Sites that expose the process_paypal_sdk_payment endpoint to anonymous users are at direct risk.", "description_and_impact": "The vulnerability resides in the RegistrationMagic plugin\u2019s process_paypal_sdk_payment function, where client\u2011supplied payment data is accepted without verification against PayPal\u2019s records. Because the payment status is not validated on the server side, an attacker can forge the transaction parameters and complete a registration without actually completing a PayPal payment. This flaw is classified as CWE\u2011345 and represents a failure to ensure the authenticity of payment information, leading to a full compromise of the paid\u2011registration workflow.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, the likely attack vector is an unauthenticated HTTP request to the process_paypal_sdk_payment endpoint, where an attacker supplies forged payment parameters. If successful, the attacker can gain access to paid registration features without authorizing a real PayPal transaction, fully undermining the site\u2019s payment integrity."}}}}, "created": "2026-02-19T10:20:24.515652+00:00", "updated": "2026-04-27T21:15:05.533731+00:00", "vendors": ["metagauss", "metagauss$PRODUCT$registrationmagic_\u2013_custom_registration_forms,_user_registration,_payment,_and_user_login", "wordpress", "wordpress$PRODUCT$wordpress"]}