CVE-2024-12202
📋 TL;DR
The Croma Music WordPress plugin has a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to modify WordPress site options. Attackers can change the default user registration role to administrator and enable user registration, gaining full administrative control. All WordPress sites using Croma Music plugin versions up to 3.6 are affected.
💻 Affected Systems
- Croma Music WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Attackers create administrator accounts for themselves, then use those accounts to compromise the site, install malware, or exfiltrate sensitive data.
If Mitigated
With proper access controls and monitoring, unauthorized privilege escalation attempts are detected and blocked before administrative access is obtained.
🎯 Exploit Status
Requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. Exploitation involves sending crafted AJAX requests to the vulnerable function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.6
Vendor Advisory: https://croma.irontemplates.com/lowtempo/wp-content/themes/croma/changelog.txt
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Croma Music plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd code to WordPress theme's functions.php to block access to the vulnerable ironMusic_ajax function
add_action('init', function() { if (isset($_REQUEST['action']) && $_REQUEST['action'] === 'ironMusic_ajax') { wp_die('Access denied'); } });
Restrict user registration
allDisable new user registration in WordPress settings to prevent attackers from creating accounts
🧯 If You Can't Patch
- Deactivate and remove the Croma Music plugin completely
- Implement strict access controls and monitor for suspicious user role changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Croma Music version. If version is 3.6 or lower, you are vulnerable.Check Version:
wp plugin list --name='Croma Music' --field=versionVerify Fix Applied:
After updating, verify Croma Music plugin version is higher than 3.6 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to ironMusic_ajax endpoint
- Sudden user role changes from Subscriber to Administrator
- New administrator account creation
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=ironMusic_ajax
- Unusual traffic patterns from authenticated users
SIEM Query:
source="wordpress.log" AND ("ironMusic_ajax" OR "user_role_changed" OR "new_user_registered")