CVE-2026-1054 identifies a Missing Authorization vulnerability (CWE-862) in the RegistrationMagic plugin for WordPress, versions up to and including 6.0.7.4. The root cause is the absence of nonce verification and capability checks in the rm_set_otp AJAX action handler, which is responsible for setting one-time passwords or related plugin settings. This lack of proper authorization allows unauthenticated attackers to invoke this AJAX endpoint remotely and modify arbitrary plugin settings. These settings include critical security configurations such as reCAPTCHA keys, which protect against automated abuse, security settings that govern plugin behavior, and frontend menu titles that could be manipulated for phishing or social engineering. The vulnerability is remotely exploitable over the network without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score of 5.3 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). No public exploits have been reported yet, but the vulnerability's nature makes it a candidate for exploitation in the future. The plugin is widely used for managing user registrations, payments, and login forms on WordPress sites, making it a valuable target for attackers seeking to undermine site security or manipulate user data.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on WordPress sites with the RegistrationMagic plugin for user registration, payment processing, or login management. Unauthorized modification of plugin settings can lead to weakened security controls, such as disabling or altering reCAPTCHA protections, increasing the risk of automated attacks, spam registrations, or brute force login attempts. Attackers could also manipulate frontend menu titles to conduct phishing attacks or mislead users, potentially damaging brand reputation and user trust. While the vulnerability does not directly expose confidential data or cause service outages, the integrity compromise of security settings can facilitate further attacks or fraud. Organizations in sectors such as e-commerce, finance, education, and government services that use this plugin are at higher risk due to the sensitive nature of user data and transactions handled. The ease of exploitation without authentication or user interaction increases the likelihood of automated or opportunistic attacks, especially if the plugin remains unpatched. Additionally, the absence of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice. First, verify if the RegistrationMagic plugin is in use and identify the affected versions (up to 6.0.7.4). If possible, upgrade to a patched version once released by the vendor. Until a patch is available, restrict access to the rm_set_otp AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests targeting this action. Additionally, review and harden WordPress security configurations by disabling unnecessary AJAX actions or limiting them to authenticated users with appropriate capabilities. Implement monitoring and alerting for unexpected changes to plugin settings, especially reCAPTCHA keys and security configurations. Conduct regular audits of user registration and login logs to detect abnormal activity patterns. Educate site administrators about the risk and encourage prompt updates. Finally, consider isolating critical WordPress instances or using reverse proxies to add an additional layer of access control to sensitive plugin endpoints.