CVE-2025-13615 | The StreamTube Core plugin for WordPress is vulnerable to Ar… | CVSS 9.8 CRITICAL

Description

The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options.

Metadata

CVE ID: CVE-2025-13615
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-11-24 18:46 UTC
Published: 2025-11-30 01:53 UTC
Last updated: 2026-04-08 17:17 UTC
Primary CWE: CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product: phpface / StreamTube Core
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
phpface	StreamTube Core	—	0 ≤ 4.78

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639 Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)