A critical privilege management flaw in the RegistrationMagic WordPress plugin allows unauthenticated attackers to register new accounts with full administrative privileges.

The plugin fails to enforce a server-side allowlist for user roles during registration. This allows an unauthenticated attacker to supply a "role" parameter (e.g., 'administrator') during the registration process, which the plugin accepts and applies to the new account.

This vulnerability results in a total site takeover by allowing any visitor to create an admin account. With a CVSS score of 9.8, the impact is severe, as it bypasses all standard security controls and grants the attacker full access to the WordPress dashboard and underlying data.

Immediate Action: Update the RegistrationMagic plugin to the latest version (above 5.1.2) immediately. Verify that the registration settings do not allow role selection by the user.

Proactive Monitoring: Review the WordPress user list for any unauthorized accounts with the 'Administrator' role created recently.

Compensating Controls: Disable public user registration if it is not required for business operations, or implement a manual approval process for all new registrations.

Public Exploit Available: No

The ability for unauthenticated users to grant themselves administrative rights is a critical security failure. Immediate patching is mandatory to protect the integrity of the WordPress site and the privacy of its users.