CVE-2025-2836

Description

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘payment_method’ parameter in all versions up to, and including, 6.0.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PUBLISHED Reserved 2025-03-26 | Published 2025-04-04 | Updated 2026-04-08 | Assigner Wordfence

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Timeline

Credits

Brian Sans-Souci finder

References

www.wordfence.com/...-bdb0-4edb-bfec-2ed52cbc5cb6?source=cve

plugins.trac.wordpress.org/...ass_rm_form_factory_revamp.php

plugins.trac.wordpress.org/...ass_rm_form_factory_revamp.php

plugins.trac.wordpress.org/...s/class_registration_magic.php

plugins.trac.wordpress.org/changeset/3265041/

cve.org (CVE-2025-2836)

nvd.nist.gov (CVE-2025-2836)

Download JSON