CVE-2024-12202: 
WordPress vulnerability analysis and mitigation

The Croma Music plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-12202) due to a missing capability check in the 'ironMusic_ajax' function, affecting all versions up to and including 3.6. This vulnerability was disclosed on January 7, 2025 (NVD).

The vulnerability stems from a missing authorization check in the 'ironMusic_ajax' function, which allows authenticated users with Subscriber-level access or higher to modify arbitrary options on the WordPress site. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security issue requiring network access with low attack complexity (NVD).

The vulnerability allows authenticated attackers to update arbitrary options on the WordPress site. Specifically, attackers can modify the default role for new user registrations to administrator and enable user registration, effectively allowing them to create administrative accounts and gain full control over the vulnerable site (NVD).

Users should update the Croma Music plugin to a version newer than 3.6 if available. The vulnerability was fixed in version 3.6.1 released on December 11, 2024, which addressed the security vulnerability along with other updates (Croma Changelog).