{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0929", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-13T21:48:59.398Z", "datePublished": "2026-02-16T06:00:01.611Z", "dateUpdated": "2026-02-17T18:22:21.617Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-02-16T06:00:01.611Z"}, "title": "RegistrationMagic < 6.0.7.2 - Subscriber+ Form Creation", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "RegistrationMagic", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "6.0.7.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site."}], "references": [{"url": "https://wpscan.com/vulnerability/c0f17d83-6199-4676-90ec-4fba1e7fcf0f/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "bRpsd", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T18:22:18.422992Z", "id": "CVE-2026-0929", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T18:22:21.617Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0929", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T18:22:18.422992Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:53:31.307Z"}}], "cna": {"title": "RegistrationMagic < 6.0.7.2 - Subscriber+ Form Creation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "bRpsd"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "RegistrationMagic", "versions": [{"status": "affected", "version": "0", "lessThan": "6.0.7.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/c0f17d83-6199-4676-90ec-4fba1e7fcf0f/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-02-16T06:00:01.611Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0929", "state": "PUBLISHED", "dateUpdated": "2026-02-17T18:22:21.617Z", "dateReserved": "2026-01-13T21:48:59.398Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-02-16T06:00:01.611Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site."}, {"lang": "es", "value": "El plugin de WordPress RegistrationMagic anterior a la versi\u00f3n 6.0.7.2 no cuenta con comprobaciones de capacidad adecuadas, permitiendo a los suscriptores y superiores crear formularios en el sitio."}], "id": "CVE-2026-0929", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-16T07:17:00.197", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/c0f17d83-6199-4676-90ec-4fba1e7fcf0f/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.0.7.2)"}}], "product": "registrationmagic", "vendor": "registrationmagic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T19:13:37.785114+00:00", "value": {"mitigation_remediation": ["Update the RegistrationMagic plugin to version 6.0.7.2 or later.", "If immediate upgrade is not possible, disable the form creation capability for the Subscriber role using a role management plugin or custom code.", "Verify that all form creation routes are protected by proper capability checks before allowing content submission."], "summary": {"action": "Upgrade", "impact": "Unauthorized form creation by subscribers"}, "threat_synthesis": {"affected_systems": "WordPress sites that utilize the RegistrationMagic plugin version earlier than 6.0.7.2 are affected. The vulnerability applies to all installations where the plugin is active, regardless of other configuration settings, as the capability check is performed at the plugin level and not mediated by other WordPress core roles or capabilities.", "description_and_impact": "The RegistrationMagic plugin, prior to version 6.0.7.2, fails to enforce proper capability checks, enabling users with the Subscriber role or higher to create forms on the website. This flaw allows an attacker who can earn the Subscriber role, which is typically granted to many users, to add arbitrary form configurations without additional authorization. The primary impact is the potential for malicious forms to be introduced, which could be leveraged for phishing, spam, or other social engineering attacks, compromising the integrity of the site\u2019s user interface and possibly exposing sensitive data to unintended audiences. The weakness is a missing authorization check, identified as CWE-862.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of under 1% shows a low likelihood of exploitation at the time of analysis. Because the flaw permits form creation by users who normally lack that permission, an attacker must first obtain a Subscriber role, which can be achieved through social engineering or exploiting other vulnerabilities. There is no indication of additional prerequisites such as elevated privileges or code execution, so the attack vector is likely local or through the normal user workflow of a WordPress site. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Nonetheless, the potential for abuse exists if the site\u2019s demographics or exposure warrant such concern."}}}}, "created": "2026-02-16T09:42:27.447114+00:00", "updated": "2026-04-17T19:15:26.260965+00:00", "vendors": ["registrationmagic", "registrationmagic$PRODUCT$registrationmagic", "wordpress", "wordpress$PRODUCT$wordpress"]}