CVE-2025-2526

Name of the Vulnerable Software and Affected Versions: Streamit theme for WordPress versions prior to 4.0.3

Description: The issue allows for privilege escalation via account takeover due to improper validation of a user's identity prior to updating their details, such as email, in the st Authentication Controller::edit profile function. This enables unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Recommendations: For versions prior to 4.0.3, update to a version that includes the fix for this issue to prevent account takeover. As a temporary workaround, consider restricting access to the st Authentication Controller::edit profile function until a patch is available.