CVE-2025-31787

Vulnerability

The Cue plugin by AudioTheme (cue) contains a missing authorization vulnerability in versions up to and including 2.4.4 [1]. The bug allows exploitation of incorrectly configured access control security levels, meaning that certain functionality or data may be accessed without proper permission checks [1].

Exploitation

An attacker would need to be authenticated as a user with some level of access to the WordPress site, as the vulnerability stems from missing authorization checks rather than missing authentication [1]. The exact sequence of steps is not disclosed in the available references, but the attacker leverages the insufficient access control to reach protected functionality [1].

Impact

Successful exploitation leads to unauthorized access to features or data that should be restricted to higher-privilege users [1]. The impact is limited by the CVSS score of 4.3 (Medium), indicating partial compromise of confidentiality or integrity without full system takeover [1].

Mitigation

The vulnerability is fixed in version 2.4.5 of the Cue plugin, released on 2025-04-02 [1]. Users should update to version 2.4.5 immediately [1]. There is no known workaround for older versions; updating is the only complete mitigation [1].