Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14
Critical4
High4
Medium6
Reset
Showing 1-14 of 14 records
Threat Entry Updated 2026-02-13

CVE-2025-15520 - Registrationmagic Plugin

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.

PLUGIN Registrationmagic

CVE-2025-15520

MEDIUM CVSS 4.3 2026-02-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1054 - Registrationmagic Plugin

The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.

PLUGIN Registrationmagic

CVE-2026-1054

MEDIUM CVSS 5.3 2026-01-28
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15403 - Registrationmagic Plugin

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further…

PLUGIN Registrationmagic

CVE-2025-15403

CRITICAL CVSS 9.8 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2024-9390 - Registrationmagic Plugin

The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Registrationmagic

CVE-2024-9390

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-10508 - Registrationmagic Plugin

The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.

PLUGIN Registrationmagic

CVE-2024-10508

CRITICAL CVSS 9.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-1991 - Registrationmagic Plugin

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator

PLUGIN Registrationmagic

CVE-2024-1991

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-1990 - Registrationmagic Plugin

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of the RM_Form shortcode in all versions up to, and including, 5.3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Registrationmagic

CVE-2024-1990

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2499 - Registrationmagic Plugin

The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

PLUGIN Registrationmagic

CVE-2023-2499

CRITICAL CVSS 9.8 2023-05-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2548 - Registrationmagic Plugin

The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup.

PLUGIN Registrationmagic

CVE-2023-2548

MEDIUM CVSS 6.6 2023-05-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0420 - Registrationmagic Plugin

The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks

PLUGIN Registrationmagic

CVE-2022-0420

HIGH CVSS 7.2 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24648 - Registrationmagic Plugin

The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cross-Site Scripting

PLUGIN Registrationmagic

CVE-2021-24648

MEDIUM CVSS 6.1 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24862 - Registrationmagic Plugin

The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue

PLUGIN Registrationmagic

CVE-2021-24862

HIGH CVSS 7.2 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-4073 - Registrationmagic Plugin

The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.

PLUGIN Registrationmagic

CVE-2021-4073

CRITICAL CVSS 9.8 2021-12-14
Open Full Technical Breakdown
Scroll to top