A critical vulnerability has been identified in the StreamTube Core plugin for WordPress, which allows an unauthenticated attacker to change the password of any user on the site, including administrators. Successful exploitation could lead to a complete compromise of the affected website, allowing an attacker to steal data, deface the site, or distribute malware. This vulnerability requires a specific theme option, "registration password fields," to be enabled for it to be exploitable.

The vulnerability is a Broken Access Control flaw where the plugin fails to properly authorize password change requests. An attacker can manipulate objects controlling user data to bypass security checks, allowing them to target any user account without authentication. To exploit this, an unauthenticated attacker would send a crafted request to the password change function, specifying a target user (such as an administrator) and a new password, leading to a full account takeover. This is only possible if the "registration password fields" setting is enabled in the theme options.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful attack would result in a complete loss of confidentiality, integrity, and availability for the affected WordPress site. The business impact includes the potential for a severe data breach of user information, significant reputational damage from website defacement or compromise, and financial loss if the site is used for e-commerce or lead generation. An attacker could also use the compromised website to host malicious content or launch further attacks against visitors.

Immediate Action: Immediately update the StreamTube Core plugin for WordPress to the latest available version that patches this vulnerability. After patching, review all administrator and user accounts for any unauthorized changes or suspicious activity.

Proactive Monitoring: Monitor web server access logs and WordPress security logs for unusual POST requests related to user profile updates or password changes, especially from unknown IP addresses. Scrutinize logs for any successful password changes that do not correlate with legitimate user activity. Implement alerts for unauthorized administrative account logins or modifications.

Compensating Controls: If patching is not immediately possible, disable the "registration password fields" setting within the theme options as a temporary mitigation measure, as this is a required precondition for exploitation. Additionally, a Web Application Firewall (WAF) may be configured with rules to block requests attempting to exploit this specific flaw, if a clear pattern can be identified. Restricting access to the WordPress login and admin pages by IP address can also add a layer of defense.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete, unauthenticated site takeover, this vulnerability poses a severe risk to the organization. We strongly recommend that the required patch be applied immediately across all affected websites. While there is no evidence of active exploitation, the risk of compromise is too high to ignore. If patching cannot be performed immediately, implement the recommended compensating controls, primarily disabling the vulnerable theme option, to mitigate the immediate threat.