CVE-2025-2525

Name of the Vulnerable Software and Affected Versions: Streamit theme for WordPress versions up to, and including, 4.0.1

Description: The issue is related to arbitrary file uploads due to missing file type validation in the st Authentication Controller::edit profile function. This allows authenticated attackers with subscriber-level and above permissions to upload arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations: For versions up to, and including, 4.0.1, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the st Authentication Controller::edit profile function until a patch is available. Restrict access to the affected site's server to minimize the risk of exploitation. Avoid using the st Authentication Controller::edit profile function in the affected API endpoint until the issue is resolved.