Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N/AC:L), requires an authenticated Subscriber (PR:L), no user interaction, and Subscriber-to-Admin escalation yields full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Privilege Escalation in Sonaar <= 4.27.4 versions.
AnalysisAI
Privilege escalation in the Sonaar WordPress theme through version 4.27.4 allows an authenticated low-privileged user (Subscriber role) to elevate their permissions, gaining administrative control over the WordPress site. The flaw is categorized as CWE-266 (Incorrect Privilege Assignment) and was disclosed via Patchstack; no public exploit identified at time of analysis, but the low attacker prerequisites (any Subscriber account, which is often self-registerable on WordPress sites) make this a meaningful risk for affected installations.
Technical ContextAI
Sonaar is a commercial WordPress theme by Sonaar Music targeted at musicians, podcasters, and audio-focused sites, with built-in player and member-area features. The CPE cpe:2.3:a:sonaar_music:sonaar covers all versions up to and including 4.27.4. The root cause class, CWE-266 (Incorrect Privilege Assignment), typically arises in WordPress themes when AJAX handlers, profile-update endpoints, or option-setting routines fail to verify the caller's capability (e.g. missing current_user_can() checks) or accept user-controlled role/meta values such as wp_capabilities or wp_user_level directly from request input, allowing a logged-in Subscriber to escalate to Administrator.
RemediationAI
Patch availability is not explicitly confirmed in the provided data, so consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/sonaar/vulnerability/wordpress-sonaar-theme-4-27-4-privilege-escalation-vulnerability for the vendor-released fixed version and upgrade Sonaar to any release later than 4.27.4 as soon as it is published. As compensating controls until patched: disable open user registration by unticking Settings > General > 'Anyone can register' (side effect: blocks legitimate self-signup, requiring manual or alternate onboarding); audit existing Subscriber accounts and remove unrecognized ones; place the site behind Patchstack's virtual patching or a WAF rule set that covers this CVE; and monitor for unexpected role/capability changes via a logging plugin such as WP Activity Log (overhead: extra DB writes per admin action).
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210222