CVE-2026-9242 describes an authentication bypass vulnerability in the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress. The vulnerability arises because the PayPal IPN callback handler is registered as a no-privilege AJAX action without authentication or nonce checks. Critically, the handler updates the payment log database with attacker-controlled POST data, including the payment status and a custom field encoding the target user ID, before validating the IPN with PayPal. This means the database can be poisoned even if the IPN validation fails. An attacker can exploit this by submitting a forged IPN request that overwrites a payment log entry's user ID with that of a target account, then visiting the success return URL with a valid security hash to receive legitimate WordPress authentication cookies for that account, effectively bypassing authentication.

The vulnerability allows unauthenticated attackers to impersonate any WordPress user, including administrators, by forging PayPal IPN requests that manipulate payment log entries. This leads to unauthorized access without needing valid credentials, posing a significant risk to site integrity and administrative control. The CVSS score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the AJAX action handling PayPal IPN callbacks, implement authentication and nonce verification for this handler, and monitor for suspicious IPN activity. Avoid relying on the plugin's current IPN processing for authentication. Follow vendor updates closely for an official patch or temporary fix.