CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-49764

CVSS 9.8v3.1pub. 2026-06-15

Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) consists of the fact that the plugin's authentication mechanism can be bypassed without providing any credentials. An attacker sending an appropriately crafted network request can gain access to functions or resources reserved exclusively for authenticated users. The attack does not require user interaction or special privileges, and can be carried out remotely over the network.

Impact

An attacker can gain unauthorized access to sensitive data, modify or destroy website resources, and potentially take full control of the site, which corresponds to high impact on the confidentiality, integrity, and availability of the system.

Mitigation & patch

The RegistrationMagic plugin must be updated immediately to a version higher than 6.0.8.6. Detailed information about the available patch can be found in the vendor's references and in the Patchstack database.

Who is affected

WordPress plugin RegistrationMagic (custom-registration-form-builder-with-submission-manager) in versions 6.0.8.6 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References