Critical WordPress Plugin Flaw Allows Attackers to Gain Full Admin Access Without Authentication (CVE-2025-15403)

CyberDefender 7 mins0

CVE-2025-15403 is a critical privilege escalation vulnerability affecting the RegistrationMagic plugin used on WordPress sites.
The flaw allows a low-privileged user (or an attacker who later registers a basic account) to gain administrator-level capabilities by abusing an improperly protected AJAX handler.

This issue is especially dangerous because:

  • The initial attack vector is unauthenticated
  • The exploit does not rely on SQL injection, file upload, or XSS
  • The resulting access grants full administrative control

Once exploited, the attacker can completely take over the site.

Affected Versions

  • RegistrationMagic plugin
  • All versions up to and including 6.0.7.1

Any site running these versions should be considered compromised until proven otherwise.

Root Cause (Technical Breakdown)

The vulnerability originates from unsafe capability assignment logic inside the plugin’s admin menu handling code.

What went wrong

  1. The plugin exposes an AJAX action (rm_user_exists) that is:
    • Accessible without authentication
    • Missing strict authorization checks
  2. This AJAX handler internally calls a function responsible for:
    • Managing admin menu order
    • Mapping menu slugs to required WordPress capabilities
  3. By submitting a crafted request containing:
    • An empty or malformed menu slug
    • A manipulated admin_order payload
  4. The plugin incorrectly:
    • Assigns the capability manage_options
    • Applies it to roles that should never receive it (e.g., Subscriber)

Why this matters

In WordPress, manage_options effectively equals admin.
Any role with this capability can:

  • Access wp-admin settings
  • Install or delete plugins
  • Modify themes
  • Create new administrators
  • Execute arbitrary PHP via plugin/theme editors

Exploitation Flow (High-Level)

This explanation is for defensive and educational purposes only.

  1. Unauthenticated request is sent to admin-ajax.php
  2. Malicious payload alters the plugin’s internal menu capability mapping
  3. Attacker registers or logs in as a low-privileged user
  4. WordPress now treats that user as having administrator privileges
  5. Full site compromise follows

No race conditions, no brute force, no user interaction required.

Real-World Impact

If exploited, an attacker can:

  • Create hidden admin users
  • Install backdoored plugins or themes
  • Modify PHP files for persistence
  • Redirect traffic or inject malware
  • Steal database credentials
  • Use the site as part of a botnet

Because the exploit abuses legitimate WordPress permission structures, traditional malware scanners may not detect it.

Detection & Threat Hunting (Practical)

1. Log-Based Detection (Web / WAF)

Monitor for suspicious AJAX requests:

POST /wp-admin/admin-ajax.php
action=rm_user_exists

Red flags in request body:

  • admin_order containing empty values
  • Unexpected serialized arrays
  • Repeated calls from unauthenticated IPs
  • Requests without WordPress nonces

2. WordPress Capability Audit (Critical)

Run the following WP-CLI command:

wp role list --fields=role,capabilities

Look for these indicators:

  • subscriber, contributor, or author roles containing:
    • manage_options
    • install_plugins
    • edit_theme_options

Any presence means post-exploitation has already occurred.

3. Database Detection Query

Check directly in the database:

SELECT * FROM wp_usermeta
WHERE meta_key LIKE '%capabilities%'
AND meta_value LIKE '%manage_options%';

If a non-admin user appears here, the site is compromised.

4. File Integrity Monitoring

Watch for:

  • Changes to wp-config.php
  • New PHP files inside:
    • /wp-content/uploads/
    • /wp-content/plugins/
  • Modified timestamps on RegistrationMagic plugin files

SOC / SIEM Detection Rules (Example)

Sigma-Style Logic (Simplified)

title: WordPress RegistrationMagic Privilege Escalation Attempt
logsource:
  category: webserver
detection:
  selection:
    uri: "/wp-admin/admin-ajax.php"
    post_data|contains: "rm_user_exists"
  condition: selection
level: high

ModSecurity / WAF Rule Concept

Block or alert on:

  • AJAX requests invoking rm_user_exists
  • Requests without valid authentication cookies
  • Repeated malformed admin_order parameters

Mitigation & Hardening

Immediate Actions

  1. Disable the RegistrationMagic plugin
  2. Audit all user roles
  3. Rotate:
    • WordPress salts
    • Admin passwords
  4. Review installed plugins/themes for unauthorized changes

Long-Term Protections

  • Restrict access to /wp-admin/admin-ajax.php
  • Enforce least-privilege roles
  • Enable file integrity monitoring
  • Log all role/capability changes
  • Use WAF rules specific to WordPress AJAX abuse

Patch / Upgrade (Official Fix)

Upgrade immediately to a patched version of RegistrationMagic.

Official plugin page (updates & changelog):
https://wordpress.org/plugins/custom-registration-form-builder-with-submission-manager/

Final Assessment

CVE-2025-15403 is a silent, high-impact privilege escalation flaw.
It does not rely on malware, exploits WordPress internals directly, and leaves minimal forensic traces unless you actively monitor capabilities.

If your site ran a vulnerable version even briefly, you must assume compromise until verified otherwise.

CyberDefender