Skip to main content

Sonaar

2 CVEs product

Monthly

CVE-2025-59563 HIGH This Week

Privilege escalation in the Sonaar WordPress theme through version 4.27.4 allows an authenticated low-privileged user (Subscriber role) to elevate their permissions, gaining administrative control over the WordPress site. The flaw is categorized as CWE-266 (Incorrect Privilege Assignment) and was disclosed via Patchstack; no public exploit identified at time of analysis, but the low attacker prerequisites (any Subscriber account, which is often self-registerable on WordPress sites) make this a meaningful risk for affected installations.

Privilege Escalation Sonaar
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-59560 HIGH This Week

Reflected or stored cross-site scripting in the Sonaar WordPress theme versions 4.27.4 and earlier allows remote unauthenticated attackers to inject malicious script into pages rendered to victims who follow a crafted link or interact with attacker-controlled content. The CVSS scope-change vector (S:C) indicates the injected script can impact resources beyond the vulnerable component, such as the WordPress admin session of a logged-in user. No public exploit identified at time of analysis, and the issue is not on CISA's KEV list.

XSS Sonaar
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Sonaar WordPress theme through version 4.27.4 allows an authenticated low-privileged user (Subscriber role) to elevate their permissions, gaining administrative control over the WordPress site. The flaw is categorized as CWE-266 (Incorrect Privilege Assignment) and was disclosed via Patchstack; no public exploit identified at time of analysis, but the low attacker prerequisites (any Subscriber account, which is often self-registerable on WordPress sites) make this a meaningful risk for affected installations.

Privilege Escalation Sonaar
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected or stored cross-site scripting in the Sonaar WordPress theme versions 4.27.4 and earlier allows remote unauthenticated attackers to inject malicious script into pages rendered to victims who follow a crafted link or interact with attacker-controlled content. The CVSS scope-change vector (S:C) indicates the injected script can impact resources beyond the vulnerable component, such as the WordPress admin session of a logged-in user. No public exploit identified at time of analysis, and the issue is not on CISA's KEV list.

XSS Sonaar
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy