CVE-2025-2103
Published: 14 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-2103 is a vulnerability in the SoundRise Music plugin for WordPress, affecting all versions up to and including 1.6.11. It stems from a missing capability check in the theironMusic_ajax() function, enabling unauthorized modification of data that results in privilege escalation. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and is classified under CWE-862 (Missing Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By updating arbitrary WordPress site options, they can, for example, modify the default role for new user registrations to administrator and enable registration, allowing them to create an administrative account and achieve full site compromise.
Mitigation details are outlined in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/e8c0f9d8-c5cf-4e31-bc0b-289ad7c1d197?source=cve and the plugin page on ThemeForest at https://themeforest.net/item/soundrise-artists-producers-and-record-labels-wordpress-theme/19764337.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization check in AJAX function allows authenticated low-priv users to modify arbitrary site options, directly enabling privilege escalation by changing default registration role to administrator and enabling user registration to create admin accounts.