CVE-2025-11204: 
WordPress vulnerability analysis and mitigation

CVE-2025-11204 affects the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress in versions up to and including 6.0.6.2. The vulnerability was discovered and disclosed on October 7, 2025, by researcher ifoundbug (NVD, Wordfence).

The vulnerability is classified as an SQL Injection vulnerability (CWE-89) due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The vulnerability has received a CVSS v3.1 Base Score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator access or higher to append additional SQL queries to existing queries, potentially leading to the extraction of sensitive information from the database. Additionally, unauthenticated attackers could leverage this vulnerability through injected Cross-Site Scripting via user-agent on form submission to achieve Reflected Cross-Site Scripting (NVD).

Users should update their RegistrationMagic plugin to a version newer than 6.0.6.2 as soon as it becomes available. The vulnerability has been reported and is tracked in the WordPress plugin repository (WordPress Plugin).