How is CVE-2026-49764 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends crafted HTTP requests directly to the WordPress installation from any internet-accessible endpoint. Authentication (not-required): No account or credential of any privilege level is needed; the authentication bypass is exploitable by a completely anonymous attacker. Victim interaction (not-required): The exploit executes entirely through direct attacker-to-server requests and requires no action from any user or administrator of the target site. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions, memory-layout dependencies, or environmental prerequisites to satisfy.

What is the impact of CVE-2026-49764?

Reads any data accessible to the WordPress application, including user credentials, session tokens, private form submissions, and stored personal data. Writes or modifies persisted database rows, including user account records, plugin configuration, and published content. Creates or escalates attacker-controlled accounts by manipulating the registration and authentication flow the plugin manages. Crashes or degrades the affected WordPress service by abusing authenticated-only operations that enforce no access check.

Back to search

CRITICALCVE-2026-49764Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49764: WordPress RegistrationMagic plugin <= 6.0.8.6 - Broken Authentication vulnerability

Q: What is CVE-2026-49764?

Broken authentication vulnerability in the RegistrationMagic WordPress plugin (versions 6.0.8.6 and earlier) allows a remote, unauthenticated attacker to bypass the authentication mechanism entirely. The flaw is reachable over the network with no credentials, no special account, and no victim interaction required. Successful exploitation gives an attacker full read, write, and denial-of-service capability over the affected system. No upstream fix has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as one becomes available.

Q: Is CVE-2026-49764 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and upstream package feeds on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild at the fix version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Broken authentication vulnerability in the RegistrationMagic WordPress plugin (versions 6.0.8.6 and earlier) allows a remote, unauthenticated attacker to bypass the authentication mechanism entirely. The flaw is reachable over the network with no credentials, no special account, and no victim interaction required. Successful exploitation gives an attacker full read, write, and denial-of-service capability over the affected system. No upstream fix has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as one becomes available.

HarborGuard Coverage

Detection

Detection for CVE-2026-49764 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication, including custom-built images that bundle the RegistrationMagic plugin. Both direct package inclusion and transitive copies embedded in WordPress base images are covered.

Available

Triage

HarborGuard is capable of scoring this finding at its published CVSS v3.1 severity of 9.8 (Critical) and weighting it against each environment's compliance policy to determine escalation priority. Routing to the appropriate team inbox within each customer organization is available automatically based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and upstream package feeds on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild at the fix version becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends crafted HTTP requests directly to the WordPress installation from any internet-accessible endpoint.
AuthenticationNot required
No account or credential of any privilege level is needed; the authentication bypass is exploitable by a completely anonymous attacker.
Victim interactionNot required
The exploit executes entirely through direct attacker-to-server requests and requires no action from any user or administrator of the target site.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions, memory-layout dependencies, or environmental prerequisites to satisfy.

Blast Radius

Reads any data accessible to the WordPress application, including user credentials, session tokens, private form submissions, and stored personal data.
Writes or modifies persisted database rows, including user account records, plugin configuration, and published content.
Creates or escalates attacker-controlled accounts by manipulating the registration and authentication flow the plugin manages.
Crashes or degrades the affected WordPress service by abusing authenticated-only operations that enforce no access check.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged Critical (CVSS 9.8) and is matched against all scanned images on every pipeline run. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack advisory and all relevant upstream package feeds on each ingest cycle and will make a patched-image rebuild available the moment a fix is published. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads. In the absence of a patch, compensating controls available for consideration include placing the WordPress installation behind a web application firewall rule that blocks unauthenticated requests to the RegistrationMagic plugin endpoints, applying strict network-policy isolation to limit inbound access to trusted sources only, and disabling the plugin via a feature flag or configuration change until a fix is released. HarborGuard will update this advisory card and re-triage affected findings automatically when the upstream patch ships.

See how HarborGuard automates this

Affected packages

Metagauss / RegistrationMagic
≤ 6.0.8.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified