WordPress Security Bulletin: RegistrationMagic Plugin Vulnerability (CVE-2025-15403)

On this page

Security Alert Summary

The RegistrationMagic plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-15403) affecting all versions up to and including 6.0.7.1. The issue allows an unauthenticated actor to manipulate a plugin setting via an AJAX action, which can result in granting elevated capabilities to an existing role when the plugin’s admin menu is built. Further privilege escalation requires at least a subscriber account.

CVE Details

  • CVE ID: CVE-2025-15403
  • Affected component: RegistrationMagic plugin for WordPress
  • Affected versions: All versions up to and including 6.0.7.1
  • Published: January 17, 2026 3:16:03 AM UTC
  • Last modified: January 17, 2026 3:16:03 AM UTC
  • CVSS v3.1: Base Score 9.8 — CRITICAL
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None (PR:N)
    • User Interaction: None (UI:N)
    • Scope: Unchanged
    • Confidentiality / Integrity / Availability Impact: High / High / High
  • Authentication / Exploitation notes: The vulnerability can be exploited unauthenticated to manipulate the plugin setting; however, any further privilege escalation steps require at least a subscriber account on the site.
  • Weakness (CWE): CWE-269

Technical Details

The vulnerability exists because the plugin exposes the add_menu functionality via the rm_user_exists AJAX action without adequate validation. An attacker can perform requests that update the plugin’s admin_order setting by injecting an empty slug into the order parameter. When the plugin later constructs the admin menu, this manipulated ordering can cause the plugin to add the manage_options capability to the targeted role.

Because the AJAX action is reachable without authentication, the initial manipulation can be performed from the network. The description indicates that manipulation of the setting occurs via arbitrary updates to admin_order, and that the menu-generation logic subsequently grants the manage_options capability for the role affected by that setting. The issue is therefore a combination of insufficient access control on an AJAX endpoint and insufficient validation in the menu-generation path.

How This Could Impact Your Website

Consider a site with multiple users: a site owner, internal staff (editors or authors), and external contractors or contributors with subscriber-level accounts. An unauthenticated attacker could alter the plugin setting so that, when the admin menu is rebuilt, an existing lower-privilege role (for example, subscribers) is granted the manage_options capability. If an attacker can then control or compromise a subscriber account (for example, a contractor with a weak password), that account could be used to perform administrative actions that the site owner did not intend.

Practical consequences may include exposure of settings or data accessible to administrators, an increased risk of targeted phishing or social engineering if internal contact information is accessible, and unauthorized changes to site configuration. The exact impact depends on the roles present on your site and how the plugin is used; it does not automatically imply full site takeover but does raise a risk of significant privilege misuse.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (If a fixed version is not specified in the CVE entry, check the plugin’s official source for updates.)
  • Review and reduce unnecessary user roles, especially contributors and subscribers with elevated capabilities.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and logs for unusual behavior related to role or capability changes, admin menu modifications, or suspicious AJAX requests.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References