Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12158

CVE-2026-12158: RegistrationMagic WordPress CSRF Vulnerability

CVE-2026-12158 is a Cross-Site Request Forgery flaw in RegistrationMagic WordPress plugin allowing privilege escalation to administrator. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-12158 Overview

CVE-2026-12158 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the RegistrationMagic – User Registration Forms Plugin for WordPress. All versions up to and including 6.0.9.1 are affected. The root cause is missing or incorrect nonce validation on the process_request function. Unauthenticated attackers can escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task executed via WordPress cron. Exploitation requires tricking a site administrator into performing an action such as clicking a crafted link.

Critical Impact

Successful exploitation allows unauthenticated attackers to elevate an arbitrary user to WordPress administrator, resulting in full site compromise.

Affected Products

  • RegistrationMagic – User Registration Forms Plugin for WordPress, all versions up to and including 6.0.9.1
  • WordPress sites running the plugin's Chronos automation task subsystem
  • Sites where administrators can be socially engineered into visiting attacker-controlled content

Discovery Timeline

  • 2026-07-01 - CVE-2026-12158 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-12158

Vulnerability Analysis

The RegistrationMagic plugin exposes a Chronos task creation workflow used to schedule automated actions executed by WordPress cron. The task controller processes incoming requests through a process_request handler that fails to validate a WordPress nonce or otherwise verify request origin. Because request state is not bound to the administrator's session, any HTTP request originating from an authenticated admin browser is accepted as legitimate.

An attacker abuses this flaw by hosting a page that submits a forged request when a logged-in administrator visits it. The forged request registers a Chronos automation task that promotes a chosen form submitter account to the administrator role. When WordPress cron next fires, the task executes with the plugin's own privileges, completing the escalation without further interaction.

Root Cause

The vulnerability stems from absent nonce validation on the task creation endpoint. The relevant controller and library code paths in plus/chronos/controllers/task_controller.php, plus/chronos/libs/rm_chronos.php, plus/chronos/libs/task.php, and plus/chronos/services/service.php do not enforce wp_verify_nonce or capability checks tied to the request. See the WordPress Plugin Code Review for the vulnerable code.

Attack Vector

Exploitation is remote and network-based. The attacker crafts an HTML page or link that issues a forged POST to the vulnerable Chronos endpoint. The attacker then delivers the link to a WordPress administrator through phishing, forum posts, or comment injection. Once the administrator loads the attacker's content, their browser silently submits the task-creation request, and cron subsequently promotes the attacker-controlled account.

No authenticated exploitation code has been published. Technical details on the vulnerable code paths are available in the Wordfence Vulnerability Report and the WordPress Plugin Changeset containing the fix.

Detection Methods for CVE-2026-12158

Indicators of Compromise

  • Unexpected entries in the RegistrationMagic Chronos task table, particularly tasks that assign or modify user roles.
  • WordPress user accounts recently promoted to the administrator role without a corresponding administrative audit trail.
  • HTTP POST requests to plugin endpoints under plus/chronos/ originating from cross-origin Referer headers.

Detection Strategies

  • Audit the wp_usermeta table for recent changes to wp_capabilities that grant the administrator role.
  • Review WordPress cron logs and the Chronos task history for tasks created outside normal administrative workflows.
  • Inspect webserver access logs for POSTs to the RegistrationMagic task controller lacking valid nonce parameters.

Monitoring Recommendations

  • Alert on any privilege change to the administrator role and require secondary review.
  • Monitor for anomalous Referer values on plugin administrative endpoints and flag off-site origins.
  • Track new Chronos task creation events and correlate them with authenticated admin session activity.

How to Mitigate CVE-2026-12158

Immediate Actions Required

  • Update the RegistrationMagic plugin to a version newer than 6.0.9.1 as soon as a patched release is available.
  • Audit all administrator accounts and remove any unauthorized promotions.
  • Review and delete unrecognized Chronos automation tasks.
  • Rotate credentials for administrator accounts that may have been created or modified.

Patch Information

The vendor addressed the issue in a commit tracked by the WordPress Plugin Changeset. Site operators should upgrade to the fixed release identified in the Wordfence Vulnerability Report.

Workarounds

  • Temporarily deactivate the RegistrationMagic plugin until the patched version is installed.
  • Restrict administrator browsing sessions and require administrators to use a dedicated browser profile with no untrusted tabs open.
  • Deploy a web application firewall rule that requires a valid WordPress nonce parameter on requests to the plugin's Chronos endpoints.
  • Disable WordPress cron execution (DISABLE_WP_CRON) and replace it with a controlled system cron that logs task execution for review.
bash
# Configuration example: disable built-in WP-Cron and use system cron
# In wp-config.php
define('DISABLE_WP_CRON', true);

# Then schedule via system cron (every 15 minutes)
*/15 * * * * www-data /usr/bin/php /var/www/html/wp-cron.php >/dev/null 2>&1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.