Cyber Resilience

CVE-2025-15403

Critical

Published: 17 January 2026

Published
17 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15403 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-15403 is a privilege escalation vulnerability in the RegistrationMagic plugin for WordPress, affecting all versions up to and including 6.0.7.1. The flaw arises because the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action, enabling arbitrary updates to the 'admin_order' setting. Attackers can inject an empty slug into the order parameter to manipulate the plugin's menu generation logic, causing the addition of the 'manage_options' capability to a target role when the admin menu is subsequently built.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. The initial exploitation does not require authentication, but achieving further privilege escalation necessitates at least a subscriber user account. Successful attacks grant elevated privileges via the 'manage_options' capability, leading to high impacts on confidentiality, integrity, and availability, as reflected in the CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-269 (Improper Privilege Management).

Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, point to specific code locations such as admin/class_rm_admin.php (line 487) and admin/controllers/class_rm_options_controller.php (line 562), along with changeset 3440797 which addresses the issue. Security practitioners should consult these resources for patch details and update the plugin accordingly to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting.…

more

This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) enables privilege escalation by manipulating admin menu settings to add elevated capabilities to user roles (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12281Shared CWE-269
CVE-2025-13538Shared CWE-269
CVE-2024-57602Shared CWE-269
CVE-2026-2631Shared CWE-269
CVE-2025-13542Shared CWE-269
CVE-2025-13563Shared CWE-269
CVE-2025-15027Shared CWE-269
CVE-2025-22937Shared CWE-269
CVE-2025-0180Shared CWE-269
CVE-2025-6758Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of the flaw in RegistrationMagic plugin up to version 6.0.7.1 directly prevents exploitation of the privilege escalation vulnerability.

prevent

Validates inputs such as the order parameter in the rm_user_exists AJAX action to block injection of an empty slug that manipulates admin_order setting and menu logic.

prevent

Enforces least privilege to prevent unauthorized addition of manage_options capability to target roles via manipulated plugin menu generation.

References