{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2525", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-19T14:06:43.812Z", "datePublished": "2025-04-08T01:44:21.589Z", "dateUpdated": "2026-04-08T17:04:12.517Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:12.517Z"}, "affected": [{"vendor": "iqonicdesign", "product": "Streamit", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83a58119-d0ed-47fe-93d1-1aa1def2cf44?source=cve"}, {"url": "https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881"}, {"url": "https://documentation.iqonic.design/streamit/change-log/streamit-v4-0/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "timeline": [{"time": "2025-03-19T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-03-19T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-04-04T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T14:20:49.658657Z", "id": "CVE-2025-2525", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T16:00:10.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2525", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-08T14:20:49.658657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T14:20:51.053Z"}}], "cna": {"title": "Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "iqonicdesign", "product": "Streamit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-19T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-03-19T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-04-04T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83a58119-d0ed-47fe-93d1-1aa1def2cf44?source=cve"}, {"url": "https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881"}, {"url": "https://documentation.iqonic.design/streamit/change-log/streamit-v4-0/"}], "descriptions": [{"lang": "en", "value": "The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:12.517Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2525", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:12.517Z", "dateReserved": "2025-03-19T14:06:43.812Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-08T01:44:21.589Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El tema Streamit para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n 'st_Authentication_Controller::edit_profile' en todas las versiones hasta la 4.0.1 incluida. Esto permite que atacantes autenticados, con permisos de suscriptor o superiores, carguen archivos arbitrarios en el servidor del sitio afectado, lo que podr\u00eda posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-2525", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-08T02:15:20.363", "references": [{"source": "security@wordfence.com", "url": "https://documentation.iqonic.design/streamit/change-log/streamit-v4-0/"}, {"source": "security@wordfence.com", "url": "https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83a58119-d0ed-47fe-93d1-1aa1def2cf44?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:26:10.218533+00:00", "value": {"mitigation_remediation": ["Upgrade to Streamit 4.1 or later, which removes the vulnerable upload code.", "If an upgrade is not immediately possible, restrict uploaded files by applying a whitelist or disabling script execution in the upload directory via web server configuration or an .htaccess rule.", "Review the uploads directory for existing malicious files and delete or neutralize them."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution via file upload"}, "threat_synthesis": {"affected_systems": "The affected product is the iqonicdesign Streamit WordPress theme. All released versions up to and including 4.0.1 are impacted. Users running Streamit 4.0.1 or earlier should upgrade to a newer release as soon as possible.", "description_and_impact": "The Streamit WordPress theme contains a flaw in the edit_profile routine where file type validation is omitted. Authenticated users with subscriber or higher privileges can upload any file to the server. An attacker could upload a PHP or other executable file and later access it through the web to run arbitrary code, thereby enabling remote code execution on the host.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates a high severity vulnerability, and the EPSS score around 1% suggests a low but non\u2011zero chance of exploitation. Because the attack requires authenticated subscriber\u2011level access, attackers must first compromise or impersonate a legitimate user. Once a malicious file is uploaded, the absence of MIME type checks allows the attacker to serve it via the web, potentially leading to code execution or data exposure. The vulnerability is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-04-21T21:30:45.746227+00:00", "updated": "2026-04-21T21:30:45.746237+00:00", "vendors": []}