CVE-2025-15403

Name of the Vulnerable Software and Affected Versions RegistrationMagic versions prior to 6.0.7.1

Description The RegistrationMagic plugin for WordPress is susceptible to a privilege escalation issue. The add menu function is accessible through the rm user exists AJAX action, allowing manipulation of the admin order setting. An unauthenticated attacker can inject an empty slug into the order parameter, influencing the plugin's menu generation. This manipulation results in the addition of 'manage options' capability for a target role when the admin menu is built. Exploitation requires at least a subscriber user for further escalation after the initial unauthenticated access.

Recommendations Versions prior to 6.0.7.1 should be updated to a newer, fixed version.