{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13615", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-24T18:46:54.192Z", "datePublished": "2025-11-30T01:53:13.258Z", "dateUpdated": "2026-04-08T17:17:43.665Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:43.665Z"}, "affected": [{"vendor": "phpface", "product": "StreamTube Core", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.78", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options."}], "title": "StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve"}, {"url": "https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-11-29T12:14:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-01T13:31:30.707915Z", "id": "CVE-2025-13615", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-01T14:10:13.887Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13615", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-01T13:31:30.707915Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-01T13:31:37.058Z"}}], "cna": {"title": "StreamTube Core <= 4.78 - Unauthenticated Arbitrary User Password Change", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "phpface", "product": "StreamTube Core", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.78"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-29T12:14:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve"}, {"url": "https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786"}], "descriptions": [{"lang": "en", "value": "The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:43.665Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13615", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:43.665Z", "dateReserved": "2025-11-24T18:46:54.192Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-30T01:53:13.258Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options."}], "id": "CVE-2025-13615", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-30T02:15:58.233", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:54:25.525883+00:00", "value": {"mitigation_remediation": ["Update the StreamTube Core plugin to the latest available version (4.79 or newer).", "Disable the \"registration password fields\" option in the theme settings until the plugin has been updated.", "If the plugin is no longer needed, consider uninstalling it to remove the attack surface."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated user password change that can lead to administrator takeover"}, "threat_synthesis": {"affected_systems": "All installations of the phpface StreamTube Core theme running version 4.78 or earlier, and with the \"registration password fields\" option enabled in the theme settings. No specific operating system or PHP version is required beyond the normal WordPress hosting environment.", "description_and_impact": "The StreamTube Core plugin for WordPress is vulnerable to arbitrary user password change in all releases up to and including version 4.78. The flaw arises because the plugin allows user\u2011controlled access to objects, enabling a user to bypass the normal authorization checks required to change passwords for any account. If an attacker can identify a target username, they can alter that account\u2019s password without possessing valid credentials, thereby gaining the same access that the legitimate account holder holds. This is a classic privilege escalation weakness classified as CWE\u2011639.", "risk_and_exploitability": "With a CVSS score of 9.8 the vulnerability is considered critical, yet the EPSS score of less than 1% indicates that, as of now, exploitation is unlikely but not impossible. The flaw is not listed in the CISA KEV catalog, meaning there are no publicly confirmed exploits in the wild. Attackers can exploit the issue by sending crafted HTTP requests to the front\u2011end of the site where the plugin is active; the attacker does not need any credentials, but must target a user whose account exists. Once the password is changed, the attacker can log in with the new credentials and take full control of the WordPress administration area."}}}}, "created": "2025-12-01T15:18:09.727923+00:00", "updated": "2026-04-21T18:00:11.732904+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}