CVE-2025-13615
📋 TL;DR
This vulnerability in the StreamTube Core WordPress plugin allows unauthenticated attackers to change user passwords, including administrator accounts, potentially leading to complete site takeover. It affects WordPress sites using StreamTube Core plugin versions up to 4.78 with 'registration password fields' enabled in theme options. The vulnerability stems from improper authorization controls that let users access system resources they shouldn't.
💻 Affected Systems
- StreamTube Core WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through administrator account takeover, leading to data theft, defacement, malware injection, or ransomware deployment.
Likely Case
Unauthenticated attackers change passwords for administrator or other privileged accounts, gaining unauthorized access to modify content, install malicious plugins, or steal sensitive data.
If Mitigated
If 'registration password fields' are disabled in theme options, the vulnerability cannot be exploited, though the underlying code flaw remains.
🎯 Exploit Status
The vulnerability is straightforward to exploit once the specific endpoint and parameters are identified. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.79 or later
Vendor Advisory: https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find StreamTube Core plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from vendor and manually update.
🔧 Temporary Workarounds
Disable Registration Password Fields
allDisable the vulnerable feature in theme options to prevent exploitation.
Temporary Plugin Deactivation
allDeactivate the StreamTube Core plugin until patched, though this may break site functionality.
🧯 If You Can't Patch
- Disable 'registration password fields' in StreamTube theme options immediately.
- Implement web application firewall (WAF) rules to block requests to vulnerable plugin endpoints.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for StreamTube Core version. If version is 4.78 or lower, site is vulnerable if registration password fields are enabled.Check Version:
wp plugin list --name=streamtube-core --field=versionVerify Fix Applied:
After update, confirm StreamTube Core plugin version is 4.79 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to StreamTube Core plugin endpoints, especially password change attempts from unauthenticated IPs.
Network Indicators:
- HTTP requests containing 'streamtube' or plugin-specific parameters related to password changes without authentication.
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/streamtube-core/*" OR user_agent="*streamtube*") AND (method="POST" AND status=200)