[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fP6aEVsIsOz53r-BRKKqjrE1ox7Rgcnh2wJGGrk3jfBI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-15520","registrationmagic-custom-registration-forms-user-registration-payment-and-user-login-authenticated-subscriber-informatio","RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login \u003C= 6.0.7.1 - Authenticated (Subscriber+) Information Exposure","The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","custom-registration-form-builder-with-submission-manager",null,"\u003C=6.0.7.1","6.0.7.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-23 00:00:00","2026-05-04 14:57:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd87c4534-3f71-4e7e-bf17-222e77fee24f?source=api-prod",102,[22,23,24,25,26,27,28,29],"admin\u002Fclass_rm_admin.php","admin\u002Fcontrollers\u002Fclass_rm_form_controller.php","admin\u002Fcontrollers\u002Fclass_rm_options_controller.php","admin\u002Fcontrollers\u002Fclass_rm_user_controller.php","admin\u002Fviews\u002Ftemplate_rm_login_sett_manage.php","admin\u002Fviews\u002Ftemplate_rm_user_manager.php","includes\u002Fclass_registration_magic.php","includes\u002Fclass_rm_activator.php","researched",false,3,"vars.nonce`.\n\n Wait, I see a huge potential leak:\n `admin\u002Fcontrollers\u002Fclass_rm_form_controller.php`:\n ```php\n $data[$i]->form_attachments = $attach_service->get_all_form_attachments($form->form_id);\n ```\n This lists all files uploaded to a form.\n\n Let's formulate the plan:\n The vulnerability allows any authenticated user (Subscriber+) to access admin-only controllers by leveraging the `rm_get_stats` AJAX action (or other actions mapped to `RM_Main_Controller::run`) and specifying a privileged `rm_slug`.\n\n Wait, I'll bet the `rm_ajax_secure` nonce is *not even checked* for `rm_get_stats`.\n Many RM vulnerabilities in 2024\u002F2025 involve `run()` not checking nonces or permissions correctly.\n\n 1. Login as Subscriber.\n 2. Request `admin-ajax.php?action=rm_get_stats&rm_slug=rm_user_manage`.\n 3. Check if it returns the user manager HTML.\n 4. If it needs a nonce, try to find one. (Check `wp-admin` dashboard for any localized RM nonces).\n\n Wait, looking at `class_rm_admin.php` again:\n `$this->icon = base64_encode('\u003Csvg ...');`\n Nothing there.","RegistrationMagic for WordPress is vulnerable to sensitive information exposure because several administrative controller actions and views lack proper authorization and nonce checks. Authenticated users with Subscriber-level privileges can invoke these actions—such as retrieving additional user details or accessing form attachment lists—by directly interacting with the plugin's controller routing system.","\u002F\u002F admin\u002Fcontrollers\u002Fclass_rm_user_controller.php line 428-440\npublic function additional_details($model, RM_User_Services $service, $request, $params){\n $user_details = array();\n \u002F\u002Fif(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {\n if(!empty($request->req['user_ids'])){\n $user_ids = $request->req['user_ids'];\n $user_details = $service->user_additional_details($user_ids);\n }\n \u002F\u002F}\n wp_send_json_success($user_details);\n die();\n \n}\n\n---\n\n\u002F\u002F admin\u002Fcontrollers\u002Fclass_rm_form_controller.php line 292-311\npublic function quick_add($model, $service, $request, $params) {\n $valid = false;\n if ($this->mv_handler->validateForm(\"rm_form_quick_add\")) {\n $model->set($request->req);\n\n $valid = $model->validate_model();\n }\n if ($valid) {\n \u002F\u002FBy default make it registration type\n $model->set_form_type(1);\n $model->set_default_form_user_role('subscriber');\n\n if (isset($request->req['form_id']))\n $valid = $service->update($request->req['form_id']);\n else\n $service->add_user_form();\n }\n\n $this->manage($model, $service, $request, $params);\n}\n\n---\n\n\u002F\u002F admin\u002Fclass_rm_admin.php line 487-495\nif (in_array( $role_slug, $value[2] )){\n\n if ( ! $rm_role->has_cap( $value[0].\"manage_options\" ) ) {\n\n $rm_role->add_cap( $value[0].\"manage_options\" );\n\n $role_added = true;\n\n }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.1\u002Fadmin\u002Fclass_rm_admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.2\u002Fadmin\u002Fclass_rm_admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.1\u002Fadmin\u002Fclass_rm_admin.php\t2026-01-05 07:43:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcustom-registration-form-builder-with-submission-manager\u002F6.0.7.2\u002Fadmin\u002Fclass_rm_admin.php\t2026-01-16 07:46:28.000000000 +0000\n@@ -477,7 +477,6 @@\n $admin_order = $gopts->get_value_of('enable_admin_order') == 'yes' ? $gopts->get_value_of('admin_order') : $gopts->default['admin_order'];\n $admin_order = apply_filters('rm_admin_menu_order_list',$admin_order, $gopts);\n $role_top_admin = array(\"administrator\");\n-\n foreach ($admin_order as $value) {\n \n foreach ( $roles as $role_slug => $role ) {\n@@ -485,8 +484,7 @@\n $rm_role = get_role( $role_slug );\n \n if (in_array( $role_slug, $value[2] )){\n-\n- if ( ! $rm_role->has_cap( $value[0].\"manage_options\" ) ) {\n+ if ( ! $rm_role->has_cap( $value[0].\"manage_options\" ) && !empty(trim($value[0])) ) {\n \n $rm_role->add_cap( $value[0].\"manage_options\" );\n \n@@ -805,7 +803,7 @@\n \n } elseif ($value[0] == 'rm_subscriptions') {\n \u002F\u002F attachments menu\n- do_action(\"rm_admin_menu_after_automation\",$value[0]);\n+ do_action(\"rm_admin_menu_after_automation\",$value[0], $value[3]);\n \n } elseif ($value[0] == 'rm_analytics_show_form') {\n \n@@ -1125,6 +1123,10 @@\n \n \u002F\u002F do_action(\"rm_admin_menu_after_field_stats\",\"\");\n \n+ } elseif ($value[0] == 'rm_subscriptions') {\n+ \u002F\u002F attachments menu\n+ do_action(\"rm_admin_menu_after_automation\",$value[0], $value[3]);\n+ \n } elseif ($value[0] == 'rm_analytics_show_form') {\n \n \u002F\u002F Analytics > FORMS\n@@ -1174,7 +1176,7 @@\n \n \u002F\u002F setting\n \n- add_submenu_page(\"rm_form_manage\", RM_UI_Strings::get('ADMIN_MENU_SETTINGS'), RM_UI_Strings::get('ADMIN_MENU_SETTINGS'), \"manage_options\", \"rm_options_manage\", array($this->get_controller(), 'run'));\n+ add_submenu_page(current_user_can('manage_options') ? \"rm_form_manage\" : \"rm_dummy_string\", RM_UI_Strings::get('ADMIN_MENU_SETTINGS'), RM_UI_Strings::get('ADMIN_MENU_SETTINGS'), \"manage_options\", \"rm_options_manage\", array($this->get_controller(), 'run'));\n \n \u002F\u002F setting options\n \n@@ -290,24 +290,26 @@\n }\n \n public function quick_add($model, $service, $request, $params) {\n- $valid = false;\n- if ($this->mv_handler->validateForm(\"rm_form_quick_add\")) {\n- $model->set($request->req);\n+ if (current_user_can('manage_options') || current_user_can('rm_form_managemanage_options')) {\n+ $valid = false;\n+ if ($this->mv_handler->validateForm(\"rm_form_quick_add\")) {\n+ $model->set($request->req);\n \n- $valid = $model->validate_model();\n- }\n- if ($valid) {\n- \u002F\u002FBy default make it registration type\n- $model->set_form_type(1);\n- $model->set_default_form_user_role('subscriber');\n+ $valid = $model->validate_model();\n+ }\n+ if ($valid) {\n+ \u002F\u002FBy default make it registration type\n+ $model->set_form_type(1);\n+ $model->set_default_form_user_role('subscriber');\n \n- if (isset($request->req['form_id']))\n- $valid = $service->update($request->req['form_id']);\n- else\n- $service->add_user_form();\n- }\n+ if (isset($request->req['form_id']))\n+ $valid = $service->update($request->req['form_id']);\n+ else\n+ $service->add_user_form();\n+ }\n \n- $this->manage($model, $service, $request, $params);\n+ $this->manage($model, $service, $request, $params);\n+ }\n }\n \n public function import($model, $service, $request, $params) {\n@@ -560,7 +560,7 @@\n \n }\n public function admin_menu($model, RM_Setting_Service $service, $request, $params){\n- if ($this->mv_handler->validateForm(\"options_admin_menu\")){\n+ if ($this->mv_handler->validateForm(\"options_admin_menu\") && current_user_can('manage_options')) {\n if ($request->req['restore'] == 'false'){\n $options = array();\n $options['admin_order'] = \"\";\n@@ -428,17 +428,15 @@\n $this->manage($model,$service,$request,$params);\n }\n \n- public function additional_details($model, RM_User_Services $service, $request, $params){\n- $user_details = array();\n- \u002F\u002Fif(check_ajax_referer('rm_ajax_secure','rm_sec_nonce')) {\n- if(!empty($request->req['user_ids'])){\n+ public function additional_details($model, RM_User_Services $service, $request, $params) {\n+ if(check_ajax_referer('rm_ajax_secure','rm_sec_nonce') && (current_user_can('manage_options') || current_user_can('rm_user_managemanage_options'))) {\n+ $user_details = array();\n+ if(!empty($request->req['user_ids'])) {\n $user_ids = $request->req['user_ids'];\n $user_details = $service->user_additional_details($user_ids);\n }\n- \u002F\u002F}\n- wp_send_json_success($user_details);\n- die();\n- \n+ wp_send_json_success($user_details);\n+ }\n }","An authenticated attacker with Subscriber-level privileges can exploit this vulnerability by directly calling administrative actions registered through the plugin's `RM_Main_Controller::run` router. Specifically, the attacker can use the `rm_get_stats` AJAX action (intended for admins) and provide a privileged `rm_slug` (e.g., `rm_user_manage`) along with the target action (e.g., `additional_details`). Because the vulnerable functions lacked permission checks and sometimes bypassed nonce verification, the attacker can retrieve sensitive user profile data by supplying a list of `user_ids` in the request, or perform other unauthorized actions like creating\u002Fmodifying forms via `quick_add`.","gemini-3-flash-preview","2026-04-18 04:15:37","2026-04-18 04:16:14",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.0.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]