CVE-2025-13615 Overview
The StreamTube Core plugin for WordPress contains a critical Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated attackers to change arbitrary user passwords, including administrator accounts. This vulnerability exists in versions up to and including 4.78 of the plugin, stemming from improper authorization controls that provide user-controlled access to system resources without adequate verification.
The flaw is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where the application uses user-supplied input to directly access objects without proper authorization checks. When the 'registration password fields' option is enabled in theme settings, attackers can exploit this weakness to bypass authentication entirely and take over any user account on the WordPress installation.
Critical Impact
Unauthenticated attackers can change any user's password, potentially leading to complete WordPress site takeover through administrator account compromise.
Affected Products
- StreamTube Core WordPress Plugin versions up to and including 4.78
- WordPress installations with StreamTube theme and 'registration password fields' enabled
- Sites using the StreamTube Responsive Video WordPress Theme
Discovery Timeline
- 2025-11-30 - CVE-2025-13615 published to NVD
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2025-13615
Vulnerability Analysis
This vulnerability represents a classic Authorization Bypass Through User-Controlled Key (CWE-639) flaw. The StreamTube Core plugin fails to properly validate user authorization when processing password change requests. Instead of verifying that the requesting user has legitimate authority to modify the target account's password, the plugin accepts user-controlled input to identify which account to modify.
The vulnerability's network attack vector combined with no authentication requirements makes this particularly dangerous. An attacker can exploit this remotely without any prior access to the WordPress installation. The attack requires no user interaction and has low complexity, making it trivial to execute once the vulnerable configuration is identified.
Root Cause
The root cause lies in the plugin's password change functionality failing to implement proper authorization checks. When the 'registration password fields' option is enabled in theme settings, the plugin exposes a mechanism that allows direct access to user account resources based solely on user-supplied identifiers. The plugin trusts client-provided data to specify which user account should have its password modified, without verifying that the requester has legitimate authority over that account.
This design flaw bypasses WordPress's native authentication and authorization mechanisms, creating a direct path for unauthorized account manipulation.
Attack Vector
The attack exploits the insecure direct object reference in the password change functionality. An unauthenticated attacker can:
- Identify a WordPress site running a vulnerable version of the StreamTube Core plugin
- Verify that the 'registration password fields' option is enabled in the theme configuration
- Craft a malicious request targeting the password change functionality
- Supply a user identifier (such as user ID or username) for the target account
- Provide a new password of the attacker's choosing
- The plugin processes this request without verifying authorization, changing the target user's password
Once an administrator account is compromised, the attacker gains full control over the WordPress installation, including the ability to install malicious plugins, modify content, access sensitive data, and potentially pivot to the underlying server.
For detailed technical information about this vulnerability, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-13615
Indicators of Compromise
- Unexpected password reset notifications for administrator or user accounts
- Unauthorized login activity from unfamiliar IP addresses, particularly following password changes
- WordPress audit logs showing password modifications without corresponding legitimate user sessions
- New administrator accounts created after unexplained account takeovers
- Modifications to site content, themes, or plugins following unauthorized access
Detection Strategies
- Monitor WordPress authentication logs for password change events that lack corresponding authenticated sessions
- Implement Web Application Firewall (WAF) rules to detect and block suspicious requests to password change endpoints
- Enable detailed logging for the StreamTube Core plugin and review for anomalous activity patterns
- Deploy file integrity monitoring to detect unauthorized modifications following potential account compromise
Monitoring Recommendations
- Configure real-time alerting for any administrator account password changes
- Establish baseline metrics for password change request volume and alert on anomalies
- Monitor for failed login attempts followed by successful password changes on the same account
- Review access logs for requests targeting StreamTube plugin endpoints from unauthenticated sources
How to Mitigate CVE-2025-13615
Immediate Actions Required
- Update the StreamTube Core plugin to a patched version beyond 4.78 immediately
- Disable the 'registration password fields' option in theme settings until the plugin can be updated
- Audit all user accounts for unauthorized password changes and reset compromised credentials
- Review WordPress audit logs for signs of exploitation and unauthorized access
- Consider temporarily disabling user registration if the theme option cannot be disabled
Patch Information
Site administrators should check for updates to the StreamTube Core plugin through the WordPress plugin management interface or via the ThemeForest Product Page. Apply the latest available security update that addresses this vulnerability. After updating, verify the plugin version is above 4.78 and confirm the fix has been applied.
Workarounds
- Disable the 'registration password fields' setting in StreamTube theme options to prevent exploitation (this is the most effective immediate mitigation)
- Implement additional access controls via .htaccess or server configuration to restrict access to vulnerable plugin endpoints
- Deploy a Web Application Firewall with rules specifically targeting unauthorized password change attempts
- Enable two-factor authentication (2FA) for all administrator accounts to provide defense-in-depth against account takeover
# WordPress wp-config.php security hardening
# Add these constants to improve overall security posture
# Force SSL for admin and logins
define('FORCE_SSL_ADMIN', true);
# Disable file editing in WordPress admin
define('DISALLOW_FILE_EDIT', true);
# Limit login attempts (requires additional plugin)
# Consider implementing Wordfence or similar WAF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
