The RegistrationMagic plugin for WordPress suffers from a privilege escalation vulnerability (CWE-269) due to improper privilege management in the 'add_menu' function. This function is exposed via the 'rm_user_exists' AJAX action, which allows unauthenticated attackers to update the 'admin_order' setting arbitrarily. By injecting an empty slug into the order parameter, attackers can manipulate the plugin's menu generation logic. Consequently, when the admin menu is constructed, the plugin assigns the 'manage_options' capability to the targeted role, enabling privilege escalation. Exploitation requires an unauthenticated attacker to perform the initial manipulation and then leverage a subscriber-level user to escalate privileges further. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity. There is no vendor advisory or patch information currently available to confirm remediation status.

Successful exploitation allows unauthenticated attackers to manipulate the plugin's menu generation logic and escalate privileges to gain 'manage_options' capability, which typically grants administrative-level access within WordPress. This can lead to full site compromise, including confidentiality, integrity, and availability impacts as reflected by the CVSS score of 9.8. The vulnerability requires a two-step process: initial unauthenticated manipulation followed by privilege escalation from at least a subscriber user account.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected plugin or disable it if possible. Monitor for updates from the vendor metagauss regarding patches or official mitigations. Avoid granting subscriber or low-privilege accounts unnecessary permissions that could facilitate exploitation.