CVE-2026-32385 identifies a Missing Authorization vulnerability in the Metagauss RegistrationMagic plugin for WordPress, specifically affecting versions up to 6.0.7.6. The vulnerability stems from incorrectly configured access control mechanisms within the plugin's custom registration form builder and submission manager features. This misconfiguration allows unauthorized users to bypass intended authorization checks, potentially granting them access to restricted functionalities or data. Since RegistrationMagic is used to create and manage user registration forms, exploitation could lead to unauthorized data disclosure, modification of submissions, or manipulation of registration workflows. The vulnerability does not require user interaction and can be exploited remotely if the plugin is accessible. Although no known exploits have been reported in the wild, the absence of a patch and the critical nature of access control issues make this a significant risk. The vulnerability was reserved and published in March 2026, with no CVSS score assigned yet. The plugin is popular among WordPress sites globally, particularly those that require advanced registration management capabilities. The lack of detailed CWE classification and patch information suggests that further technical analysis and vendor response are pending. Organizations using RegistrationMagic should urgently assess their exposure and implement compensating controls until an official patch is available.

The primary impact of this vulnerability is unauthorized access due to missing authorization checks, which can compromise the confidentiality and integrity of user data managed through the RegistrationMagic plugin. Attackers could exploit this flaw to view or modify registration submissions, potentially leading to data leakage or manipulation of user accounts. This could result in unauthorized account creation, privilege escalation, or disruption of registration workflows. For organizations, this may lead to reputational damage, regulatory non-compliance (especially if personal data is exposed), and operational disruptions. Since the plugin is integrated into WordPress sites, the scope of affected systems is broad, including small businesses, educational institutions, and enterprises relying on WordPress for user management. The ease of exploitation is moderate to high given the lack of authorization barriers, and no authentication is required, increasing the risk. The absence of user interaction requirements further elevates the threat level. However, the lack of known exploits in the wild currently limits immediate widespread impact, though this could change rapidly once exploit code becomes available.

Organizations should immediately audit their use of the RegistrationMagic plugin and restrict access to its administrative and form management interfaces to trusted users only. Implementing Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the plugin’s endpoints can provide temporary protection. Administrators should review and tighten WordPress user roles and permissions to minimize exposure. Regularly back up registration data and monitor logs for unusual activity related to form submissions or plugin usage. Until an official patch is released by Metagauss, consider disabling the plugin or replacing it with alternative solutions that have robust access controls. Engage with the vendor for updates and apply patches promptly once available. Additionally, conduct penetration testing focusing on access control weaknesses in the registration workflows to identify and remediate any other potential authorization gaps.