RegistrationMagic < 6.0.7.2 – Unauthenticated Privilege Escalation via admin_order | CVE 2025-15403 | Plugin Vulnerabilities

Description

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.

Affects Plugins

custom-registration-form-builder-with-submission-manager

Fixed in 6.0.7.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Osvaldo Noe Gonzalez Del Rio (Os)

Verified

No

WPVDB ID

b5aca8e4-e2de-464a-9fcf-552138361e9c

Timeline

Publicly Published

2026-01-16 (about 4 months ago)

Added

2026-01-16 (about 4 months ago)

Last Updated

2026-03-31 (about 2 months ago)

Other

Published

Title

Published

2025-08-05

Title

Reveal Listing < 3.4 - Unauthenticated Privilege Escalation

Published

2024-09-10

Title

WooCommerce Photo Reviews Premium < 1.3.14 - Authentication Bypass to Account Takeover and Privilege Escalation

Published

2022-09-13

Title

WPGateway <= 3.5 - Unauthenticated Privilege Escalation

Published

2025-10-21

Title

Age Restriction <= 3.0.2 - Subscriber+ Privilege Escalation

Published

2025-01-31

Title

WooCommerce Customers Manager < 31.4 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation