External risk intelligence

RegistrationMagic Unauthenticated Broken Authentication Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49764

A critical vulnerability exists in a registration and form management technology, allowing unauthenticated attackers to bypass authentication and potentially gain unauthorized access. This issue could impact systems that handle user sign-ups and access controls. Confirming if this technology is in use is advised.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-49764

The vulnerability affects a WordPress plugin designed for user registration and form management. Such plugins are typically deployed as part of public-facing web applications to handle user interactions and data submission, making the registration interface commonly reachable from the internet.

PCI scan relevance

PCI Relevance for CVE-2026-49764

Yes

CVE-2026-49764 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability, an unauthenticated broken authentication in RegistrationMagic versions up to 6.0.8.6, is PCI scan-relevant because it allows unauthenticated attackers to bypass authentication mechanisms, potentially leading to critical system compromise.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in a user registration and form management technology that could allow unauthorized access. The issue stems from a weakness in how the system handles user authentication during registration.

  • Unauthenticated attackers can bypass registration security.
  • Matters for protecting user sign-up and access controls.
  • Confirm if this registration system is in use.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by accessing the registration feature of a website using the affected plugin. Since no authentication is required, an unauthenticated attacker can interact with the registration component, potentially leading to a complete compromise of the system. The precise attack path beyond this initial access is not detailed in the provided information.

  • No authentication required for access.
  • Triggered through the registration feature.
  • Risk of complete system compromise.

Live Threat

Current exploitation, exposure, and threat context

This unauthenticated broken authentication vulnerability could allow an attacker to bypass authentication controls. When supported by the advisory, this could lead to unauthorized access to user data and service functions.

  • User account data at risk.
  • Bypass authentication controls.
  • Unauthorized access to data.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in RegistrationMagic likely impacts application owners and potentially platform or infrastructure teams responsible for the web servers hosting WordPress. The initial practical step is to identify all instances of the affected plugin, determine their reachability and business criticality, and then confirm the accountable owner for each instance. Remediation planning should then be prioritized based on these findings.

  • Application owners should own the issue.
  • Verify plugin reachability and criticality.
  • Plan remediation based on identified risk.

Frequently asked questions

What is RegistrationMagic?

RegistrationMagic is a WordPress plugin used to manage user registrations and custom web forms. It simplifies how site owners collect information and handle sign-up workflows, acting as the bridge between visitors submitting data and the WordPress database.

What does broken authentication mean for CVE-2026-49764?

This vulnerability, classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), means the plugin fails to properly verify identity during the registration process. Instead of following the intended security steps, an attacker can circumvent these checks to gain unauthorized access to the application.

How can an attacker trigger this vulnerability?

An attacker triggers this by interacting directly with the registration features of the affected plugin. Since the flaw does not require the attacker to have an existing account, it cannot be prevented by simple login restrictions. It is not triggered by administrative actions or actions occurring within secured, private areas of the site.

Is my site at risk?

According to Halo Surface Signal, this vulnerability is particularly relevant if your registration pages are reachable from the internet. Because the plugin is designed for public interaction, any site using the vulnerable version with exposed sign-up forms faces a higher risk of unauthorized access compared to internal-only tools.

How should I respond to this vulnerability?

Start by identifying all WordPress sites in your environment running this plugin. Once located, verify which sites have public-facing registration forms enabled and determine their business importance. Use this information to coordinate with the responsible site owners to plan necessary updates or security changes.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished