CVE-2025-15520
Awaiting Analysis Awaiting Analysis - Queue
Capability Bypass in RegistrationMagic Plugin Leads to Data Disclosure

Publication date: 2026-02-13

Last updated on: 2026-02-13

Assigner: WPScan

Description
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15520
EUVD
EUVD-2025-207002
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
registrationmagic registrationmagic to 6.0.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-15520 is a sensitive data disclosure vulnerability in the WordPress plugin RegistrationMagic versions up to and including 6.0.7.2.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the plugin verifies nonces but does not properly check user capabilities, which means users with Subscriber or higher roles can access sensitive information they should not be able to see.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by sending specific POST requests to the plugin's AJAX endpoint, which returns sensitive data such as revenue, submissions, and sent emails associated with user IDs."}, {'type': 'paragraph', 'content': 'This issue is classified under CWE-200 (Information Exposure) and corresponds to the OWASP Top 10 category A3: Sensitive Data Exposure.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data to users with Subscriber or higher roles.

Sensitive information such as revenue details, form submissions, and sent emails related to users can be accessed without proper authorization.

Such exposure can compromise user privacy and potentially lead to further exploitation or misuse of the disclosed data.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to exploit the sensitive data disclosure using POST requests to the WordPress plugin's AJAX endpoint."}, {'type': 'list_item', 'content': 'Send a POST request as a subscriber user to `/wp-admin/admin-ajax.php` with parameters `action=rm_sort_form_fields` and `rm_slug=rm_user_manage`.'}, {'type': 'list_item', 'content': 'Check the response for a nonce value named `rm_sec_nonce`.'}, {'type': 'list_item', 'content': 'Use the obtained nonce in a second POST request to `/wp-admin/admin-ajax.php` with parameters `action=rm_user_additional_details`, `rm_slug=rm_user_additional_details`, `rm_sec_nonce=<nonce_value>`, and `user_ids[]=1`.'}, {'type': 'paragraph', 'content': 'If the second request returns sensitive data such as revenue, submissions, or sent emails associated with the user ID, the vulnerability is present.'}] [1]

Mitigation Strategies

The immediate mitigation step is to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or later, where this vulnerability has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15520. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart