PT-2025-11245 · WordPress · Soundrise Music

Tonn

Published

2025-03-14

Updated

2025-03-21

CVE-2025-2103

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: SoundRise Music plugin for WordPress versions up to, and including, 1.6.11

Description: The issue allows unauthorized modification of data, potentially leading to privilege escalation, due to a missing capability check on the theirMusic ajax() function. This enables authenticated attackers with subscriber-level access and above to update arbitrary options on the WordPress site, which can be leveraged to gain administrative user access.

Recommendations: For versions up to, and including, 1.6.11, update to a version that includes a fix for the missing capability check on the theirMusic ajax() function. As a temporary workaround, consider disabling the theirMusic ajax() function until a patch is available.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-2103

Affected Products

Soundrise Music

PT-2025-11245 · WordPress · Soundrise Music

CVE-2025-2103

Weakness Enumeration

Related Identifiers

Affected Products

References · 13