CVE Alert: CVE-2025-11204 – metagauss – RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
CVE-2025-11204
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.0.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. An unauthenticated attacker could utilize an injected Cross-Site Scripting via user-agent on form submission to leverage this to achieve Reflected Cross-Site Scripting.
AI Summary Analysis
Risk verdict
High risk to sites using the affected plugin; exploitation is plausible for attackers with admin access and the accompanying XSS path raises additional exposure, so patching should be treated as urgent.
Why this matters
Authenticated SQL injection can exfiltrate sensitive database data, including user records. The described unauthenticated XSS path, if feasible in some configurations, could enable client-side script execution or session theft, aggravating the impact on visitor and admin accounts. Together, these vectors threaten data integrity, confidentiality and availability of WordPress sites relying on the plugin.
Most likely attack path
Precondition: plugin present and reachable; attacker already has administrator or higher privileges (per CVSS). An injection targets the plugin’s queries, allowing appending of SQL statements to read or alter data. A secondary XSS path could be triggered via form submissions or user-agent manipulation, depending on environment, potentially broadening impact.
Who is most exposed
Sites with the vulnerable plugin installed and with active admin access are at greatest risk, especially multi-user or e-commerce WordPress deployments on shared hosting or exposed admin interfaces.
Detection ideas
- Spike in database errors or long-running SQL queries in server logs.
- Unusual admin actions or privilege escalations.
- Anomalous data exports or unexpected data access from user tables.
- Suspicious user-agent payloads appearing in form submissions.
- WAF/IDS alerts for SQL injection patterns in registration/login forms.
Mitigation and prioritisation
- Patch to the latest fixed version immediately; test in staging before production rollout.
- If patching is not possible, disable the plugin or restrict admin access; apply compensating controls.
- Enforce MFA and rotate admin credentials; implement least-privilege for accounts.
- Implement WAF rules and network controls to block SQLi-like payloads in inputs.
- Schedule change management with a defined maintenance window; verify database integrity post-patch.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
