The Streamit WordPress theme contains an authorization bypass vulnerability (CWE-639) due to insufficient validation of user identity in the 'st_Authentication_Controller::edit_profile' function. This flaw enables unauthenticated attackers to modify email addresses of arbitrary users, including administrators. By changing the email, attackers can trigger password reset mechanisms to gain unauthorized access to user accounts, resulting in privilege escalation and potential full account takeover. The vulnerability affects all versions up to and including 4.0.2 and has a CVSS 3.1 base score of 8.8, indicating high severity.

Successful exploitation allows unauthenticated attackers to change any user's email address, including administrators, enabling them to reset passwords and gain full access to those accounts. This leads to privilege escalation and potential complete compromise of the affected WordPress site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected plugin and monitor for suspicious activity related to user profile changes. Avoid using affected versions of the Streamit theme in production environments.