Can you explain this vulnerability to me?

The vulnerability in the RegistrationMagic WordPress plugin allows unauthenticated attackers to exploit the 'add_menu' function via the 'rm_user_exists' AJAX action. This lets attackers inject an empty slug into the 'admin_order' setting, manipulating the plugin's menu generation logic. As a result, when the admin menu is built, the plugin improperly grants the 'manage_options' capability to a target user role. Although exploitation starts without authentication, further privilege escalation requires at least a subscriber user. This flaw enables unauthorized privilege escalation within the plugin. [2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized privilege escalation, allowing attackers to gain administrative capabilities ('manage_options') within the WordPress site via the RegistrationMagic plugin. This means an attacker could potentially modify site settings, manage options, and perform administrative actions without proper authorization, compromising the security and integrity of the website. [2]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if the RegistrationMagic WordPress plugin is installed and running a vulnerable version (up to and including 6.0.7.1). Since the vulnerability involves an unauthenticated AJAX action 'rm_user_exists' that allows privilege escalation, you can monitor or test for unauthorized access attempts to this AJAX endpoint. For example, you can use curl or similar tools to send requests to the AJAX action and observe if privilege escalation is possible. A sample command to test the vulnerable AJAX action might be: curl -X POST -d 'action=rm_user_exists&admin_order=' https://yourwordpresssite.com/wp-admin/admin-ajax.php If the response indicates that the 'admin_order' setting can be manipulated without authentication, the system is vulnerable. Additionally, reviewing user roles and capabilities for unexpected 'manage_options' capabilities assigned to subscriber or low-privilege roles can indicate exploitation. Network monitoring tools can be configured to alert on POST requests to 'admin-ajax.php' with the 'rm_user_exists' action from unauthenticated sources. Note: Specific detection commands or scripts are not provided in the resources, but the above approach is inferred from the vulnerability description and code context. [1, 2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1. Update the RegistrationMagic plugin to version 6.0.7.2 or later, where security patches have been applied to enforce capability checks, nonce verification, and restrict unauthorized AJAX access, as detailed in the changeset addressing CVE-2025-15403. 2. If immediate update is not possible, restrict access to the vulnerable AJAX action 'rm_user_exists' by implementing web application firewall (WAF) rules or server-level restrictions to block unauthenticated POST requests to 'admin-ajax.php' with this action. 3. Review and audit user roles and capabilities in WordPress to ensure no unauthorized 'manage_options' capabilities have been assigned to low-privilege roles. 4. Implement monitoring for suspicious AJAX requests targeting the plugin's endpoints. These steps are based on the security hardening and capability checks introduced in version 6.0.7.2, which include nonce verification and capability enforcement to prevent privilege escalation. [2, 4]

Useful 0 Not Useful 0