Cyber Posture

CVE-2025-15403

Critical

Published: 17 January 2026

Published
17 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting.…

more

This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely identification, reporting, and correction of the flaw in RegistrationMagic plugin up to version 6.0.7.1 directly prevents exploitation of the privilege escalation vulnerability.

SI-10 Information Input Validation good match
prevent

Validates inputs such as the order parameter in the rm_user_exists AJAX action to block injection of an empty slug that manipulates admin_order setting and menu logic.

AC-6 Least Privilege good match
prevent

Enforces least privilege to prevent unauthorized addition of manage_options capability to target roles via manipulated plugin menu generation.

Security SummaryAI

CVE-2025-15403 is a privilege escalation vulnerability in the RegistrationMagic plugin for WordPress, affecting all versions up to and including 6.0.7.1. The flaw arises because the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action, enabling arbitrary updates to the 'admin_order' setting. Attackers can inject an empty slug into the order parameter to manipulate the plugin's menu generation logic, causing the addition of the 'manage_options' capability to a target role when the admin menu is subsequently built.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. The initial exploitation does not require authentication, but achieving further privilege escalation necessitates at least a subscriber user account. Successful attacks grant elevated privileges via the 'manage_options' capability, leading to high impacts on confidentiality, integrity, and availability, as reflected in the CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-269 (Improper Privilege Management).

Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, point to specific code locations such as admin/class_rm_admin.php (line 487) and admin/controllers/class_rm_options_controller.php (line 562), along with changeset 3440797 which addresses the issue. Security practitioners should consult these resources for patch details and update the plugin accordingly to mitigate the vulnerability.

Details

CWE(s)
CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) enables privilege escalation by manipulating admin menu settings to add elevated capabilities to user roles (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References