CVE-2025-14444

EPSS 0.01%
Veröffentlicht 18.02.2026 10:20:47
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment.

Mögliche Gegenmaßnahme

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: Update to version 6.0.7.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Version *-6.0.6.9

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellermetagauss

≫

Produkt RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Default Statusunaffected

Version <= 6.0.6.9

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.015

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98a-c465df3e2bed?source=cve

https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L324

https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/services/class_rm_paypal_service.php#L324

https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.7/includes/class_registration_magic.php#L232

https://plugins.trac.wordpress.org/changeset/3426151

https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98a-c465df3e2bed

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-14444

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14444

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14444

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14444