Platform
wordpress
Component
custom-registration-form-builder-with-submission-manager
Fixed in
6.0.8
CVE-2025-15403 is a Privilege Escalation vulnerability affecting the RegistrationMagic plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's menu generation logic, potentially granting them elevated administrative privileges. The vulnerability impacts versions from 0.0.0 up to and including 6.0.7.1, and a patch is available in version 6.0.7.2.
CVE-2025-15403 in the RegistrationMagic WordPress plugin represents a significant privilege escalation risk. An unauthenticated attacker can exploit the 'addmenu' function through the 'rmuserexists' AJAX action to manipulate the 'adminorder' setting. Injecting an empty slug into the 'order' parameter allows the attacker to alter the plugin's menu generation logic. Subsequently, when the admin menu is built, the plugin adds unwanted elements, potentially allowing an attacker to gain access to administrative functionalities without proper authorization. The CVSS score of 9.8 indicates a critical impact, as successful exploitation could result in full control of the WordPress admin panel, compromising the website's security and user data. This vulnerability affects all plugin versions up to and including 6.0.7.1.
Exploitation of this vulnerability requires an attacker with access to make AJAX requests to the WordPress website using the vulnerable RegistrationMagic plugin. No authentication is required to make the request, which facilitates exploitation. The attacker can use tools such as cURL or a web browser with developer tools to send a manipulated AJAX request to the 'rmuserexists' action, injecting an empty slug into the 'order' parameter. The success of the exploitation depends on the plugin and web server configuration, but in most cases, the vulnerability is easily exploitable. The lack of input validation in the 'add_menu' function is the primary cause of this vulnerability, allowing attackers to bypass security controls.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The immediate solution to mitigate the risk of CVE-2025-15403 is to update the RegistrationMagic plugin to version 6.0.7.2 or higher. This version includes a fix that addresses the privilege escalation vulnerability by validating the input of the 'order' parameter in the 'addmenu' function. Additionally, it is recommended to review user permissions in WordPress and limit access to administrative functionalities only to those users who genuinely require them. Implementing a robust security policy, including regular updates of all WordPress plugins and themes, is crucial for maintaining website security. Monitoring server logs for suspicious activity related to the 'rmuser_exists' AJAX action can also help detect and respond to potential attacks.
Update to version 6.0.7.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A CVSS score of 9.8 indicates a critical vulnerability with a high potential for exploitation and a significant impact.
Yes, updating to version 6.0.7.2 or higher is the recommended solution to mitigate this vulnerability. Additionally, reviewing user permissions is advised.
If you are using a version of the RegistrationMagic plugin older than 6.0.7.2, you are vulnerable. You can also monitor server logs for suspicious activity.
Immediately change all passwords, review website files for unauthorized modifications, and consider restoring from a clean backup.
Implement a robust security policy, including regular updates of all plugins and themes, and the use of strong passwords.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.