Cyber Resilience

CVE-2025-2103

High

Published: 14 March 2025

Published
14 March 2025
Modified
21 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2103 is a high-severity Missing Authorization (CWE-862) vulnerability in Irontemplates Soundrise. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2025-2103 is a vulnerability in the SoundRise Music plugin for WordPress, affecting all versions up to and including 1.6.11. It stems from a missing capability check in the theironMusic_ajax() function, enabling unauthorized modification of data that results in privilege escalation. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and is classified under CWE-862 (Missing Authorization).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By updating arbitrary WordPress site options, they can, for example, modify the default role for new user registrations to administrator and enable registration, allowing them to create an administrative account and achieve full site compromise.

Mitigation details are outlined in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/e8c0f9d8-c5cf-4e31-bc0b-289ad7c1d197?source=cve and the plugin page on ThemeForest at https://themeforest.net/item/soundrise-artists-producers-and-record-labels-wordpress-theme/19764337.

EU & UK References

Vulnerability details

The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible…

more

for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization check in AJAX function allows authenticated low-priv users to modify arbitrary site options, directly enabling privilege escalation by changing default registration role to administrator and enabling user registration to create admin accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2026-0845Shared CWE-862
CVE-2025-49723Shared CWE-862
CVE-2024-12171Shared CWE-862

Affected Assets

irontemplates
soundrise
≤ 1.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and remediating the flaw in the SoundRise plugin's missing capability check.

prevent

Enforces approved authorizations for logical access, directly addressing the missing capability check that allows unauthorized data modification and privilege escalation.

prevent

Restricts access to configuration changes such as WordPress site options, preventing low-privileged users from updating arbitrary settings to enable privilege escalation.

References