CVE-2025-13615 is a critical security vulnerability identified in the StreamTube Core plugin for WordPress, versions up to and including 4.78. The vulnerability stems from an authorization bypass caused by improper handling of user-controlled keys, classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Specifically, the plugin allows unauthenticated users to manipulate access to internal objects, bypassing normal authorization mechanisms. This flaw enables attackers to perform arbitrary password changes on any user account, including administrators, without authentication. The attack vector requires that the 'registration password fields' feature be enabled in the theme options, which exposes the vulnerable code path. The CVSS v3.1 base score is 9.8, reflecting an attack vector that requires no privileges, no user interaction, and can be executed remotely over the network. The impact includes full compromise of user accounts, potential site takeover, and disruption of service. Although no public exploits have been reported yet, the critical nature and ease of exploitation make this vulnerability a high priority for remediation. The absence of available patches at the time of disclosure necessitates immediate mitigation steps by administrators.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized access to sensitive data, administrative account takeover, and complete compromise of WordPress sites running the affected plugin. This could result in data breaches, defacement, insertion of malicious content, or use of the compromised site as a launchpad for further attacks within the network. Organizations in sectors such as government, finance, healthcare, and media, which often rely on WordPress for content management, may face reputational damage, regulatory penalties under GDPR, and operational disruptions. The vulnerability’s ability to be exploited remotely without authentication increases the risk of widespread attacks, especially targeting high-profile or high-traffic websites. Given the plugin’s popularity in Europe, the threat landscape is significant, and attackers could leverage this flaw to gain persistent footholds in organizational networks.

Administrators should immediately verify if the StreamTube Core plugin is installed and identify the version in use. If the version is 4.78 or earlier, and the 'registration password fields' feature is enabled, disable this feature as a temporary mitigation. Monitor for plugin updates or security patches from the vendor and apply them promptly once available. In the absence of an official patch, consider uninstalling or replacing the plugin with a secure alternative. Implement strict access controls and monitoring on WordPress administrative accounts, including multi-factor authentication to reduce risk of takeover. Regularly audit user accounts for unauthorized changes and review logs for suspicious activity. Employ web application firewalls (WAF) with custom rules to detect and block exploitation attempts targeting this vulnerability. Finally, educate site administrators about the risks and signs of compromise related to this vulnerability.