Critical severity9.8NVD Advisory· Published Nov 30, 2025· Updated Apr 15, 2026
CVE-2025-13615
CVE-2025-13615
Description
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.