Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WordPress RegistrationMagic Plugin Allows Unauthorized Paid Registration
CVE-2025-14444
Summary
The RegistrationMagic plugin for WordPress does not properly verify payment information, allowing attackers to complete paid registrations without actually paying. This could allow unauthorized users to create accounts and access paid content. Update to the latest version of the plugin to fix this issue.
Original title
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authentic...
Original description
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment.
nvd CVSS3.1
5.3
Vulnerability type
CWE-345
- https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with...
- https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with...
- https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with...
- https://plugins.trac.wordpress.org/changeset/3426151
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0633bf06-6580-4feb-b98...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026