Description
Subscriber Privilege Escalation in Sonaar <= 4.27.4 versions.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in WordPress sites that use the Sonaar theme up to version 4.27.4 lets an attacker with a subscriber account elevate their privileges beyond the intended restrictions. The vulnerability bypasses internal access controls, allowing the attacker to perform actions normally reserved for higher‑privileged roles, such as creating, editing, or deleting content, thereby compromising the confidentiality, integrity, and availability of the site.

Affected Systems

The issue affects the Sonaar WordPress theme published by SONAAR MUSIC. All releases up to and including 4.27.4 are vulnerable; version 4.27.5 and later contain the necessary fix.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a severe vulnerability. EPSS data is not available, but the lack of a CISA KEV listing does not mitigate the risk. The attack vector is likely an authenticated visitor with a subscriber role who exploits theme code that incorrectly grants elevated permissions. Any site running a vulnerable version is at risk of privilege escalation.

Generated by OpenCVE AI on June 18, 2026 at 12:31 UTC.

Remediation

Vendor Solution

Update the WordPress Sonaar theme to the latest available version (at least 4.27.5).

OpenCVE Recommended Actions

  • Install the latest Sonaar theme release (4.27.5 or newer) to apply the security fix.
  • Audit user roles to ensure the subscriber role does not have unintended capabilities.
  • Enforce role‑based access control using native WordPress settings or a dedicated plugin to apply the principle of least privilege.
  • Maintain an update policy that automatically applies critical theme patches as they become available.

Generated by OpenCVE AI on June 18, 2026 at 12:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Privilege Escalation in Sonaar <= 4.27.4 versions.
Title WordPress Sonaar theme <= 4.27.4 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:40:28.119Z

Reserved: 2025-09-17T18:00:53.704Z

Link: CVE-2025-59563

cve-icon Vulnrichment

Updated: 2026-06-17T12:40:22.966Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:45:03Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment