CVE-2025-2103
Published: 14 March 2025
Summary
CVE-2025-2103 is a high-severity Missing Authorization (CWE-862) vulnerability in Irontemplates Soundrise. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2025-2103 is a vulnerability in the SoundRise Music plugin for WordPress, affecting all versions up to and including 1.6.11. It stems from a missing capability check in the theironMusic_ajax() function, enabling unauthorized modification of data that results in privilege escalation. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and is classified under CWE-862 (Missing Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By updating arbitrary WordPress site options, they can, for example, modify the default role for new user registrations to administrator and enable registration, allowing them to create an administrative account and achieve full site compromise.
Mitigation details are outlined in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/e8c0f9d8-c5cf-4e31-bc0b-289ad7c1d197?source=cve and the plugin page on ThemeForest at https://themeforest.net/item/soundrise-artists-producers-and-record-labels-wordpress-theme/19764337.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6443
Vulnerability details
The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible…
more
for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization check in AJAX function allows authenticated low-priv users to modify arbitrary site options, directly enabling privilege escalation by changing default registration role to administrator and enabling user registration to create admin accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying, reporting, and remediating the flaw in the SoundRise plugin's missing capability check.
Enforces approved authorizations for logical access, directly addressing the missing capability check that allows unauthorized data modification and privilege escalation.
Restricts access to configuration changes such as WordPress site options, preventing low-privileged users from updating arbitrary settings to enable privilege escalation.