The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress suffers from an SQL Injection vulnerability identified as CVE-2025-11204. This vulnerability arises due to improper neutralization of special elements in SQL commands (CWE-89), specifically caused by insufficient escaping of user-supplied parameters and lack of prepared statements in the plugin's code. Authenticated attackers with administrator privileges can append arbitrary SQL queries to existing database queries, enabling them to extract sensitive information such as user credentials, payment data, or other confidential records stored in the WordPress database. The plugin also exposes a reflected Cross-Site Scripting (XSS) vulnerability via the user-agent header during form submission, which can be exploited by unauthenticated attackers to execute malicious scripts in the context of the victim’s browser. The vulnerability affects all versions up to and including 6.0.6.2. The CVSS v3.1 base score is 7.2, indicating high severity, with an attack vector of network, low attack complexity, requiring high privileges but no user interaction, and impacting confidentiality, integrity, and availability. No official patches have been linked yet, and no known exploits are reported in the wild as of the publication date. The vulnerability is critical for sites relying on this plugin for user registration and payment processing, as it could lead to data breaches and site compromise.

The impact of CVE-2025-11204 is significant for organizations using the RegistrationMagic plugin, especially those handling sensitive user data and payment information. Successful exploitation by an authenticated administrator-level attacker can lead to unauthorized data disclosure, modification, or deletion, severely compromising the confidentiality, integrity, and availability of the WordPress site and its database. This could result in data breaches, financial fraud, loss of customer trust, and regulatory penalties. The reflected XSS vulnerability further increases risk by enabling attackers to execute malicious scripts, potentially leading to session hijacking, phishing, or malware distribution. Organizations with large user bases or e-commerce operations are particularly vulnerable. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation, as attackers may develop exploits rapidly once the vulnerability is public. The threat also poses reputational damage and operational disruption risks for affected websites.

To mitigate CVE-2025-11204, organizations should immediately upgrade the RegistrationMagic plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict plugin access strictly to trusted personnel and consider disabling the plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns and unusual user-agent strings can provide temporary protection. Conduct thorough input validation and sanitization on all user inputs, especially those interacting with SQL queries. Employ the principle of least privilege by limiting administrator accounts and monitoring their activities closely. Regularly audit database logs for anomalous queries indicative of injection attempts. Additionally, harden WordPress installations by disabling unnecessary plugins and enforcing strong authentication mechanisms. For the reflected XSS vector, ensure HTTP headers like Content Security Policy (CSP) and X-Content-Type-Options are configured to reduce script injection risks. Finally, maintain regular backups and incident response plans to recover quickly from potential compromises.