Overview
A critical security vulnerability, identified as CVE-2025-13615, has been discovered in the StreamTube Core plugin for WordPress. This flaw allows unauthenticated attackers to change user passwords, potentially leading to complete takeover of administrator accounts. This vulnerability affects versions up to and including 4.78 of the StreamTube Core plugin.
This vulnerability stems from inadequate authorization checks when handling user-controlled access to objects, allowing bypasses that grant access to system resources which should be protected.
Important Note: This vulnerability is only exploitable if the ‘registration password fields’ are enabled in the theme options of the StreamTube plugin.
Technical Details
The StreamTube Core plugin fails to properly validate user permissions when handling requests related to user accounts. Specifically, the plugin provides user-controlled access to objects. This allows an attacker to bypass intended authorization mechanisms and manipulate user password data. By crafting malicious requests, an unauthenticated attacker can trigger password reset procedures for any user on the WordPress site, including administrators. The vulnerability is based on the insufficient checks present when the ‘registration password fields’ are enabled in the theme options.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13615 is 9.8 (Critical). This high score reflects the severe impact of the vulnerability, which allows for unauthenticated remote code execution (in effect, account takeover).
- CVSS Score: 9.8 (Critical)
- Vector String: [While the full vector string isn’t provided in the prompt, a score of 9.8 implies a vector likely similar to CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]
Possible Impact
The exploitation of CVE-2025-13615 can have devastating consequences:
- Complete Site Takeover: Attackers can gain control of administrator accounts and, consequently, the entire WordPress website.
- Data Breach: Sensitive data stored on the website, including user information, could be compromised.
- Malware Distribution: Attackers can inject malicious code into the website to distribute malware to visitors.
- Defacement: The website can be defaced, damaging the site owner’s reputation.
- Spam and Phishing: Compromised accounts can be used to send spam and phishing emails.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-13615, take the following actions immediately:
- Update the StreamTube Core Plugin: Check for and install the latest version of the StreamTube Core plugin from the WordPress plugin repository or the original source. The updated version should contain a patch that addresses this vulnerability.
- Disable Registration Password Fields (If Possible): If updating is not immediately possible, consider disabling the ‘registration password fields’ in the StreamTube theme options as a temporary workaround. This will prevent the exploitation of the vulnerability.
- Monitor for Suspicious Activity: Closely monitor your WordPress website for any unusual activity, such as new user accounts, unauthorized modifications, or login attempts from unfamiliar locations.
- Implement a Web Application Firewall (WAF): A WAF can help to detect and block malicious requests targeting the vulnerability.
