CVE-2026-1054 is a vulnerability identified in the RegistrationMagic WordPress plugin, which provides custom registration forms, user registration, payment, and login functionalities. The flaw arises due to missing authorization controls and nonce verification in the rm_set_otp AJAX action handler. Nonce verification is a security measure to prevent Cross-Site Request Forgery (CSRF), and capability checks ensure only authorized users can perform sensitive actions. The absence of these checks means that unauthenticated attackers can send crafted AJAX requests to modify arbitrary plugin settings without any authentication or user interaction. This includes changing reCAPTCHA keys, which could disable or bypass bot protection, altering security settings that might weaken defenses, and modifying frontend menu titles, potentially facilitating phishing or social engineering attacks. The vulnerability affects all versions up to and including 6.0.7.4. The CVSS v3.1 base score is 5.3, reflecting medium severity, with attack vector being network (remote), low attack complexity, no privileges required, no user interaction, and impact limited to integrity. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-862 (Missing Authorization). Given the widespread use of WordPress and the plugin’s role in user management and payment, this vulnerability could be leveraged to undermine site security and trust.

The primary impact of this vulnerability is on the integrity of the affected WordPress sites using RegistrationMagic. Attackers can alter critical plugin settings, such as reCAPTCHA keys, potentially disabling anti-bot protections and increasing susceptibility to automated attacks or spam registrations. Changing security settings could weaken the overall security posture, and modifying frontend menu titles could facilitate phishing or mislead users. While confidentiality and availability are not directly impacted, the integrity compromise can lead to downstream risks including unauthorized access, fraud, or reputational damage. Organizations relying on this plugin for user registration and payment processing may face increased risk of fraudulent registrations, abuse of user accounts, or manipulation of payment workflows. The ease of exploitation and lack of authentication requirements increase the threat level, especially for sites exposed to the internet without additional protective controls.

1. Monitor the vendor’s official channels for patches or updates addressing CVE-2026-1054 and apply them promptly once available. 2. Until a patch is released, restrict access to the rm_set_otp AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests or limit access to trusted IP addresses. 3. Implement custom authorization checks in the plugin code or via hooks to ensure only authenticated and authorized users can invoke sensitive AJAX actions. 4. Regularly audit plugin settings, especially reCAPTCHA keys and security configurations, to detect unauthorized changes. 5. Employ security plugins that monitor and alert on suspicious AJAX requests or configuration changes. 6. Harden WordPress installations by disabling unnecessary AJAX actions and limiting plugin permissions. 7. Educate site administrators on the risks of unauthorized plugin setting changes and encourage regular backups to enable recovery from tampering.