PT-2026-20378 · WordPress · Registrationmagic – Custom Registration Forms
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2025-14444
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress versions through 6.0.6.9
Description
The RegistrationMagic plugin for WordPress has a flaw where payments can be bypassed. This occurs because the plugin does not adequately verify the authenticity of payment data received from the client during the
process paypal sdk payment function. Specifically, the plugin trusts client-supplied values for payment verification without confirming that a legitimate PayPal payment has been completed. This allows attackers to activate accounts without making actual payments.Recommendations
Update RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress to a version later than 6.0.6.9.
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Registrationmagic – Custom Registration Forms