CVE-2025-15520
Capability Bypass in RegistrationMagic Plugin Leads to Data Disclosure
Publication date: 2026-02-13
Last updated on: 2026-02-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| registrationmagic | registrationmagic | to 6.0.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-15520 is a sensitive data disclosure vulnerability in the WordPress plugin RegistrationMagic versions up to and including 6.0.7.2.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the plugin verifies nonces but does not properly check user capabilities, which means users with Subscriber or higher roles can access sensitive information they should not be able to see.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by sending specific POST requests to the plugin's AJAX endpoint, which returns sensitive data such as revenue, submissions, and sent emails associated with user IDs."}, {'type': 'paragraph', 'content': 'This issue is classified under CWE-200 (Information Exposure) and corresponds to the OWASP Top 10 category A3: Sensitive Data Exposure.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive data to users with Subscriber or higher roles.
Sensitive information such as revenue details, form submissions, and sent emails related to users can be accessed without proper authorization.
Such exposure can compromise user privacy and potentially lead to further exploitation or misuse of the disclosed data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to exploit the sensitive data disclosure using POST requests to the WordPress plugin's AJAX endpoint."}, {'type': 'list_item', 'content': 'Send a POST request as a subscriber user to `/wp-admin/admin-ajax.php` with parameters `action=rm_sort_form_fields` and `rm_slug=rm_user_manage`.'}, {'type': 'list_item', 'content': 'Check the response for a nonce value named `rm_sec_nonce`.'}, {'type': 'list_item', 'content': 'Use the obtained nonce in a second POST request to `/wp-admin/admin-ajax.php` with parameters `action=rm_user_additional_details`, `rm_slug=rm_user_additional_details`, `rm_sec_nonce=<nonce_value>`, and `user_ids[]=1`.'}, {'type': 'paragraph', 'content': 'If the second request returns sensitive data such as revenue, submissions, or sent emails associated with the user ID, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or later, where this vulnerability has been fixed.