CVE-2025-15520: RegistrationMagic Information Disclosure

CVE-2025-15520 Overview

CVE-2025-15520 is a Broken Access Control vulnerability affecting the RegistrationMagic WordPress plugin before version 6.0.7.2. The plugin validates nonces for security but fails to implement proper capability checks, allowing authenticated users with subscriber-level access or above to access sensitive data that should be restricted to administrators.

Critical Impact

Authenticated users with minimal privileges (subscriber role) can bypass authorization controls to access sensitive information, potentially exposing user registration data, form submissions, and plugin configuration details.

Affected Products

• RegistrationMagic WordPress plugin versions prior to 6.0.7.2
• WordPress installations using vulnerable RegistrationMagic versions
• Sites allowing user registration with subscriber-level access

Discovery Timeline

• 2026-02-13 - CVE CVE-2025-15520 published to NVD
• 2026-02-13 - Last updated in NVD database

Technical Details for CVE-2025-15520

Vulnerability Analysis

This vulnerability represents a common but critical security oversight in WordPress plugin development. While the RegistrationMagic plugin correctly implements nonce verification to prevent Cross-Site Request Forgery (CSRF) attacks, it neglects to verify that the requesting user has the appropriate capabilities (permissions) to perform the action.

In WordPress security architecture, nonces and capability checks serve distinct purposes: nonces verify that requests originate from legitimate forms within the WordPress admin, while capability checks confirm the user has authorization to perform specific actions. By only implementing nonce checks without corresponding capability verification, the plugin creates an authorization bypass vulnerability.

Attackers with valid subscriber accounts can craft requests that pass nonce validation but access functionality intended only for administrators, resulting in unauthorized information disclosure.

Root Cause

The root cause is the absence of capability checks such as current_user_can() in AJAX handlers and administrative functions. The plugin developers relied solely on nonce verification for security, which only addresses CSRF protection but does not enforce role-based access control.

Attack Vector

The vulnerability is exploitable over the network by any authenticated user with at least subscriber-level privileges. The attack requires low complexity and no user interaction. An attacker would:

1. Register or compromise an account with subscriber privileges on the target WordPress site
2. Identify AJAX endpoints or administrative functions protected only by nonce checks
3. Generate valid nonces using the subscriber session
4. Submit requests to access restricted functionality, bypassing authorization
5. Extract sensitive data exposed by the misconfigured access controls

The network-based attack vector combined with low privilege requirements makes this vulnerability particularly concerning for WordPress sites that allow public user registration.

Detection Methods for CVE-2025-15520

Indicators of Compromise

• Unusual AJAX requests from subscriber accounts to administrative endpoints in RegistrationMagic
• Subscriber-level users accessing form submission data or configuration settings
• Unexpected data export or retrieval activities originating from low-privilege accounts
• Access log entries showing authenticated requests to RegistrationMagic admin functions from non-admin users

Detection Strategies

• Monitor WordPress AJAX logs for requests to RegistrationMagic endpoints from non-administrative users
• Implement Web Application Firewall (WAF) rules to detect authorization bypass attempts
• Review access patterns for subscriber accounts accessing plugin administrative functionality
• Enable WordPress audit logging to track capability-related access attempts

Monitoring Recommendations

• Configure SentinelOne to monitor WordPress installations for unusual plugin activity patterns
• Set up alerts for subscriber accounts making requests to admin-only plugin endpoints
• Implement file integrity monitoring on WordPress plugin directories
• Review user activity logs for patterns indicating privilege escalation attempts

How to Mitigate CVE-2025-15520

Immediate Actions Required

• Update RegistrationMagic plugin to version 6.0.7.2 or later immediately
• Audit subscriber accounts for any suspicious activity or unauthorized data access
• Review WordPress access logs for signs of exploitation prior to patching
• Consider temporarily disabling public user registration until the patch is applied

Patch Information

The vulnerability has been addressed in RegistrationMagic version 6.0.7.2. Users should update through the WordPress plugin management interface or manually download the patched version from the WordPress plugin repository. For detailed technical information about this vulnerability, refer to the WPScan Vulnerability Report.

Workarounds

• Restrict user registration on WordPress sites using vulnerable plugin versions
• Implement additional access controls via a security plugin with capability enforcement
• Use a WAF to block suspicious requests to RegistrationMagic AJAX endpoints
• Audit and remove unnecessary subscriber accounts until patching is completed

# WordPress CLI command to update the plugin
wp plugin update registrationmagic --path=/var/www/html

# Verify the installed version after update
wp plugin list --name=registrationmagic --fields=name,version --path=/var/www/html