CVE-2025-13615 affects the StreamTube Core plugin for WordPress, a popular video content management plugin. The vulnerability stems from improper authorization controls (CWE-639) that allow attackers to manipulate user-controlled keys to bypass access restrictions. Specifically, when the 'registration password fields' feature is enabled in the theme options, unauthenticated users can exploit this flaw to change arbitrary user passwords without any authentication or user interaction. This means an attacker can reset the password of any user, including administrators, effectively gaining full control over the WordPress site. The vulnerability is present in all versions up to and including 4.78. The CVSS 3.1 base score is 9.8, reflecting its critical nature due to network exploitability, no required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and potential impact make this a severe threat. The vulnerability highlights a failure in enforcing proper authorization checks on sensitive operations within the plugin's codebase, specifically related to user password management.

The impact of this vulnerability is severe for organizations using the StreamTube Core plugin on WordPress sites. Successful exploitation allows attackers to take over any user account, including administrators, leading to complete site compromise. This can result in unauthorized access to sensitive data, defacement, insertion of malicious content, deployment of backdoors, and use of the compromised site for further attacks such as phishing or malware distribution. For businesses relying on WordPress for content delivery or e-commerce, this could lead to significant reputational damage, financial loss, and regulatory penalties. The vulnerability's network accessibility and lack of required authentication make it highly exploitable, increasing the risk of widespread attacks, especially on sites with the vulnerable plugin and the specific theme option enabled.

To mitigate this vulnerability, organizations should immediately update the StreamTube Core plugin to a patched version once released by the vendor. Until a patch is available, administrators should disable the 'registration password fields' option in the theme settings to prevent exploitation. Additionally, implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting password change functionalities can reduce risk. Monitoring logs for unusual password reset activities and enforcing strong multi-factor authentication (MFA) on administrator accounts can limit the impact of potential compromises. Regularly auditing installed plugins and themes for vulnerabilities and minimizing the use of unnecessary features that expose sensitive operations is recommended. Finally, maintaining offline backups and having an incident response plan ready will help in rapid recovery if exploitation occurs.