CVE-2025-13615

Received

Published: 30 Nov 2025, 02:15

Last modified:30 Nov 2025, 02:15

Vulnerability Summary

Overall Risk

Medium Risk

39/100

AI Analysis

Emergency

Requires Immediate Action

CVSS Score

9.8 CRITICAL

CVSS v3.1 (SECURITY)

EPSS Score

0.11% INFO

0% probability

CISA KEV

Not listed

Ransomware

No reports

Exploits

None found

Dark Web

Activity detected

The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.

Source Identifier: security@wordfence.com

CVSS	Source	Severity	Exploit.	Impact	Vector
v4.0	n/a
v3.1	Primarysecurity@wordfence.com	9.8 CRITICAL	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/U...
v3.0	n/a
v2.0	n/a

0.11%

Current Score

30%ile

Percentile Rank

Loading chart...

Authorization Bypass Through User-Controlled Key CWE-639

Description:The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Not listed in CISA Known Exploited Vulnerabilities catalog.

Telegram Activity Detected

This vulnerability has been mentioned in monitored Telegram channels, indicating potential threat actor interest.

No known public exploit code indexed (as of 30 Nov 2025, 02:15).

Exploitation status can change quickly once PoC code appears.

No affected systems information available.

URL	Tags	Source
https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786	-	security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve	-	security@wordfence.com