Description
The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.
Published: 2026-01-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to exploit the 'add_menu' function via the 'rm_user_exists' AJAX action and update the 'admin_order' setting with an empty slug, manipulating the plugin's menu generation logic. When the admin menu is subsequently built, the plugin grants the target role the 'manage_options' capability, effectively elevating privileges to administrative levels. The impact is a complete escalation of privileges from no access to full control of the WordPress site.

Affected Systems

The affected product is the RegistrationMagic plugin for WordPress, versions up to and including 6.0.7.1, developed by MetaGauss and used for custom registration forms, user registration, payment, and user login functionality.

Risk and Exploitability

The severity reported by CVSS is 9.8, indicating critical impact, while the EPSS score is less than 1% reflecting a very low exploitation probability as of current data. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can trigger exploitation unauthenticated via the public AJAX endpoint; however, further privilege escalation requires the existence of at least a subscriber user account on the WordPress installation.

Generated by OpenCVE AI on April 21, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RegistrationMagic plugin to a version newer than 6.0.7.1 to eliminate the vulnerable code path
  • Configure the WordPress environment to block unauthenticated access to the 'rm_user_exists' AJAX action, for example by using a firewall or plugin that restricts AJAX endpoints to authenticated users only
  • Remove or disable the RegistrationMagic plugin if it is not required for site functionality to eliminate the attack surface

Generated by OpenCVE AI on April 21, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss registrationmagic
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss registrationmagic
Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 02:30:00 +0000

Type Values Removed Values Added
Description The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.
Title RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Metagauss Registrationmagic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:32.425Z

Reserved: 2025-12-31T17:02:01.026Z

Link: CVE-2025-15403

cve-icon Vulnrichment

Updated: 2026-01-20T18:41:15.928Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T03:16:03.693

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses