The StreamTube Core plugin for WordPress is vulnerable to arbitrary user password change in all releases up to and including version 4.78. The flaw arises because the plugin allows user‑controlled access to objects, enabling a user to bypass the normal authorization checks required to change passwords for any account. If an attacker can identify a target username, they can alter that account’s password without possessing valid credentials, thereby gaining the same access that the legitimate account holder holds. This is a classic privilege escalation weakness classified as CWE‑639.

All installations of the phpface StreamTube Core theme running version 4.78 or earlier, and with the "registration password fields" option enabled in the theme settings. No specific operating system or PHP version is required beyond the normal WordPress hosting environment.

With a CVSS score of 9.8 the vulnerability is considered critical, yet the EPSS score of less than 1% indicates that, as of now, exploitation is unlikely but not impossible. The flaw is not listed in the CISA KEV catalog, meaning there are no publicly confirmed exploits in the wild. Attackers can exploit the issue by sending crafted HTTP requests to the front‑end of the site where the plugin is active; the attacker does not need any credentials, but must target a user whose account exists. Once the password is changed, the attacker can log in with the new credentials and take full control of the WordPress administration area.