CVE-2025-15403: CWE-269 Improper Privilege Management in metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.
AI Analysis
Technical Summary
CVE-2025-15403 is a critical security vulnerability identified in the RegistrationMagic WordPress plugin, which is widely used for custom registration forms, user registration, payment processing, and user login management. The flaw stems from improper privilege management (CWE-269) in the plugin's 'add_menu' function, which is accessible through the 'rm_user_exists' AJAX action. This function allows unauthenticated attackers to inject an empty slug into the 'admin_order' parameter, manipulating the plugin's menu generation logic. As a result, when the WordPress admin menu is constructed, the plugin inadvertently assigns the 'manage_options' capability—normally reserved for administrators—to the targeted user role. Although the initial exploitation vector requires no authentication, further privilege escalation to full administrative rights requires the attacker to have at least subscriber-level access. This vulnerability affects all versions up to and including 6.0.7.1 of RegistrationMagic. The CVSS v3.1 base score of 9.8 reflects the vulnerability's ease of exploitation (network vector, no privileges, no user interaction) and its severe impact on confidentiality, integrity, and availability. No official patches or exploit code are currently published, but the risk of exploitation remains high due to the plugin's popularity and the critical nature of the flaw.
Potential Impact
For European organizations, this vulnerability poses a significant risk to WordPress-based websites using the RegistrationMagic plugin. Successful exploitation can lead to unauthorized administrative access, enabling attackers to modify site settings, inject malicious code, steal sensitive user data, disrupt services, or pivot to other internal systems. The compromise of administrative privileges undermines the confidentiality and integrity of data and can cause prolonged downtime or defacement, impacting business operations and reputation. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, face heightened regulatory and compliance risks if exploited. Additionally, the vulnerability's unauthenticated attack vector increases the likelihood of automated scanning and exploitation attempts, making timely mitigation critical.
Mitigation Recommendations
Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include disabling or restricting access to the 'rm_user_exists' AJAX action via web application firewalls (WAFs) or custom server rules to block unauthorized requests. Limiting subscriber user roles and auditing existing user permissions can reduce the risk of privilege escalation. Monitoring WordPress logs for unusual AJAX activity related to RegistrationMagic is advised. Organizations should also consider temporarily deactivating the RegistrationMagic plugin if feasible until a patch is released. Once available, promptly apply vendor patches or updates. Employing a principle of least privilege for WordPress roles and enforcing multi-factor authentication for administrative accounts further mitigates risk. Regular backups and incident response preparedness are essential to recover from potential compromises.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-15403: CWE-269 Improper Privilege Management in metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
Description
The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.
AI-Powered Analysis
Technical Analysis
CVE-2025-15403 is a critical security vulnerability identified in the RegistrationMagic WordPress plugin, which is widely used for custom registration forms, user registration, payment processing, and user login management. The flaw stems from improper privilege management (CWE-269) in the plugin's 'add_menu' function, which is accessible through the 'rm_user_exists' AJAX action. This function allows unauthenticated attackers to inject an empty slug into the 'admin_order' parameter, manipulating the plugin's menu generation logic. As a result, when the WordPress admin menu is constructed, the plugin inadvertently assigns the 'manage_options' capability—normally reserved for administrators—to the targeted user role. Although the initial exploitation vector requires no authentication, further privilege escalation to full administrative rights requires the attacker to have at least subscriber-level access. This vulnerability affects all versions up to and including 6.0.7.1 of RegistrationMagic. The CVSS v3.1 base score of 9.8 reflects the vulnerability's ease of exploitation (network vector, no privileges, no user interaction) and its severe impact on confidentiality, integrity, and availability. No official patches or exploit code are currently published, but the risk of exploitation remains high due to the plugin's popularity and the critical nature of the flaw.
Potential Impact
For European organizations, this vulnerability poses a significant risk to WordPress-based websites using the RegistrationMagic plugin. Successful exploitation can lead to unauthorized administrative access, enabling attackers to modify site settings, inject malicious code, steal sensitive user data, disrupt services, or pivot to other internal systems. The compromise of administrative privileges undermines the confidentiality and integrity of data and can cause prolonged downtime or defacement, impacting business operations and reputation. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, face heightened regulatory and compliance risks if exploited. Additionally, the vulnerability's unauthenticated attack vector increases the likelihood of automated scanning and exploitation attempts, making timely mitigation critical.
Mitigation Recommendations
Given the absence of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include disabling or restricting access to the 'rm_user_exists' AJAX action via web application firewalls (WAFs) or custom server rules to block unauthorized requests. Limiting subscriber user roles and auditing existing user permissions can reduce the risk of privilege escalation. Monitoring WordPress logs for unusual AJAX activity related to RegistrationMagic is advised. Organizations should also consider temporarily deactivating the RegistrationMagic plugin if feasible until a patch is released. Once available, promptly apply vendor patches or updates. Employing a principle of least privilege for WordPress roles and enforcing multi-factor authentication for administrative accounts further mitigates risk. Regular backups and incident response preparedness are essential to recover from potential compromises.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-31T17:02:01.026Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696af5b4b22c7ad8685027bd
Added to database: 1/17/2026, 2:36:36 AM
Last enriched: 1/24/2026, 7:49:32 PM
Last updated: 2/7/2026, 11:36:12 AM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.