CVE-2025-13615: CWE-639 Authorization Bypass Through User-Controlled Key in phpface StreamTube Core
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.
AI Analysis
Technical Summary
CVE-2025-13615 is an authorization bypass vulnerability in the StreamTube Core WordPress plugin (versions up to 4.78). The plugin improperly grants user-controlled access to internal objects, allowing unauthenticated attackers to change any user's password, including administrators, if the 'registration password fields' feature is enabled. This vulnerability is categorized under CWE-639 and has a critical CVSS score of 9.8, reflecting its potential for complete system compromise via password takeover.
Potential Impact
Successful exploitation allows unauthenticated attackers to change arbitrary user passwords, leading to potential full account takeover, including administrator accounts. This compromises confidentiality, integrity, and availability of the affected WordPress site. The impact is critical due to the ease of exploitation (no privileges or user interaction required) and the high level of control gained by attackers.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Administrators should verify if the 'registration password fields' option is enabled in their theme settings and consider disabling it as a temporary mitigation. Monitor vendor advisories for updates or patches addressing this issue. Until a fix is released, restrict access to the affected plugin or consider disabling it to prevent exploitation.
CVE-2025-13615: CWE-639 Authorization Bypass Through User-Controlled Key in phpface StreamTube Core
Description
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13615 is an authorization bypass vulnerability in the StreamTube Core WordPress plugin (versions up to 4.78). The plugin improperly grants user-controlled access to internal objects, allowing unauthenticated attackers to change any user's password, including administrators, if the 'registration password fields' feature is enabled. This vulnerability is categorized under CWE-639 and has a critical CVSS score of 9.8, reflecting its potential for complete system compromise via password takeover.
Potential Impact
Successful exploitation allows unauthenticated attackers to change arbitrary user passwords, leading to potential full account takeover, including administrator accounts. This compromises confidentiality, integrity, and availability of the affected WordPress site. The impact is critical due to the ease of exploitation (no privileges or user interaction required) and the high level of control gained by attackers.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Administrators should verify if the 'registration password fields' option is enabled in their theme settings and consider disabling it as a temporary mitigation. Monitor vendor advisories for updates or patches addressing this issue. Until a fix is released, restrict access to the affected plugin or consider disabling it to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-24T18:46:54.192Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 692ba718b00568eef09a0bbf
Added to database: 11/30/2025, 2:08:24 AM
Last enriched: 4/9/2026, 9:36:07 AM
Last updated: 5/9/2026, 8:44:41 PM
Views: 280
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.