CVE-2026-1054
RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings ModificationThe RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
We have discovered 1,530 live websites that are affected by CVE-2026-1054.
Affected Software
| Product |  Custom Registration Form Builder With Submission Manager |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,530 live websites (96% of Custom Registration Form Builder With Submission Manager install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 182 versions ( 99% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Jan 28, 2026
- Updated - Jan 28, 2026
Credits
- Md. Moniruzzaman Prodhan (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-1054 United States | 588 websites |
 Germany | 127 websites |
 Italy | 119 websites |
 France | 70 websites |
 GB | 68 websites |
 Canada | 39 websites |
 Netherlands | 35 websites |
 Spain | 30 websites |
 South Africa | 29 websites |
 India | 25 websites |
Website Distribution by TLD
Number of websites using CVE-2026-1054| .com | 638 websites |
| .org | 180 websites |
| .it | 92 websites |
| .de | 51 websites |
| .net | 48 websites |
| .co.uk | 39 websites |
| .nl | 27 websites |
| .eu | 24 websites |
| .pl | 19 websites |
| .com.br | 17 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-1054
Top websites that are affected by CVE-2026-1054. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.edu | United States | **,*** | |
| **.net | United States | **,*** | |
| ********.org | United States | ***,*** | |
| *************.com | United States | ***,*** | |
| *************.com | Germany | ***,*** | |
| ******************.com | United States | ***,*** | |
| ********.***.in | India | ***,*** | |
| ***********.org | United States | ***,*** | |
| *******************.com | France | ***,*** | |
| *******.com | France | ***,*** |
FAQ
CVE-2026-1054 is Missing Authorization in Custom Registration Form Builder With Submission Manager
A total of 1,530 websites have been identified as vulnerable to CVE-2026-1054, based on global website indexing conducted by WebTechSurvey.
The Custom Registration Form Builder With Submission Manager is affected by the CVE-2026-1054 vulnerability.
Custom Registration Form Builder With Submission Manager versions up to and including 6.0.7.4 are vulnerable to CVE-2026-1054.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve
- https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209
- https://plugins.trac.wordpress.org/changeset/3444777/