A critical privilege escalation vulnerability exists in the RegistrationMagic plugin for WordPress, rated with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to manipulate the plugin's menu system, which can then be used to grant administrator-level privileges to any existing low-level user, such as a subscriber. Successful exploitation results in a complete compromise of the affected WordPress website.

The vulnerability is due to an insecure implementation of the add_menu function, which is accessible to unauthenticated users through the rm_user_exists AJAX action. An attacker can send a specially crafted request to this AJAX endpoint, injecting an empty slug into the order parameter. This action corrupts the plugin's menu generation logic. When an administrator subsequently loads their dashboard, the corrupted logic is processed, and the plugin incorrectly assigns the manage_options capability (an administrator-level permission) to a target user role, effectively escalating the privileges of all users in that role.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit grants an attacker full administrative control over the WordPress site. The business impact is severe and can include theft of sensitive user data, financial information, and intellectual property; website defacement or reputational damage; installation of malware, ransomware, or crypto-mining scripts; and use of the server for further malicious activities. This could lead to significant financial loss, regulatory fines, and a complete loss of customer trust.

Immediate Action: Immediately update the RegistrationMagic plugin for WordPress to the latest version available from the vendor (a version later than 6.0.7.1). After patching, conduct a thorough review of all user accounts and their assigned roles to identify and revert any unauthorized privilege escalations that may have already occurred.

Proactive Monitoring: Monitor web server and WAF logs for suspicious POST requests to /wp-admin/admin-ajax.php where the action parameter is rm_user_exists. Pay close attention to requests containing unusual or empty values in the order parameter. Implement WordPress audit logging to detect and alert on any changes to user roles and capabilities, especially the addition of manage_options to non-administrative roles.

Compensating Controls: If patching is not immediately possible, consider the following mitigating actions:

• Implement a Web Application Firewall (WAF) rule to block or inspect requests to the rm_user_exists AJAX action.
• Temporarily disable the RegistrationMagic plugin until it can be safely updated.
• Disable new user registrations to prevent attackers from creating the subscriber-level accounts needed for the final stage of the attack.

Public Exploit Available: False

This vulnerability presents a critical and immediate risk to the organization. Due to the high CVSS score of 9.8 and the potential for a full website compromise initiated by an unauthenticated attacker, this issue must be addressed with the highest priority. We strongly recommend applying the vendor-supplied patch immediately across all affected websites. Although this CVE is not currently on the CISA KEV list, its severity warrants treating it as an actively exploited threat. A post-remediation audit of user roles is essential to ensure no prior compromise has occurred.