RegistrationMagic WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the RegistrationMagic plugin for WordPress, affecting all versions through 6.0.7.1. The issue arises because the 'add_menu' function can be accessed via the 'rm_user_exists' AJAX action, allowing unauthenticated users to inject an empty slug into the order parameter. This manipulation disrupts the plugin's menu generation process, ultimately granting 'manage_options' capability to the targeted user role. While the vulnerability can be exploited without authentication, escalating privileges beyond the exploited role requires at least a subscriber account.

Impact

Exploitation of this vulnerability allows for unauthorized users to gain elevated privileges, specifically the 'manage_options' capability, which is typically reserved for administrators.

Reproduction

To reproduce this vulnerability, send an AJAX request to the 'rm_user_exists' action with an injected empty slug in the order parameter. This will trigger the 'add_menu' function, manipulating the admin_order setting and adding 'manage_options' capability to the specified user role.

Remediation

Users are advised to update the RegistrationMagic WordPress plugin to version 6.0.7.2 or a newer patched version.