CVE-2025-13615

Name of the Vulnerable Software and Affected Versions StreamTube Core plugin for WordPress versions up to and including 4.78

Description The StreamTube Core plugin for WordPress is susceptible to Arbitrary User Password Change. This occurs because the plugin grants user-controlled access to objects, allowing bypass of authorization and access to system resources. This enables unauthenticated attackers to modify user passwords, potentially gaining control of administrator accounts. This exploitation is possible if the 'registration password fields' are enabled in the theme options.

Recommendations Versions prior to 4.78: Disable the 'registration password fields' in theme options as a temporary measure. Versions prior to 4.78: Update to a newer version that addresses this issue as soon as it becomes available.