Threat Entry Updated 2025-04-08

CVE-2025-2526 - Streamit Theme

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

THEME Streamit

CVE-2025-2526

HIGH CVSS 8.8 2025-04-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-04-08

CVE-2025-2525 - Streamit Theme

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

THEME Streamit

CVE-2025-2525

HIGH CVSS 8.8 2025-04-08

Risk Score

Open Full Technical Breakdown