CVE-2025-2525 - Vulnerability Details

- Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Published: 2025-04-08

Score: 8.8 High

EPSS: 1.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

The Streamit WordPress theme contains a flaw in the edit_profile routine where file type validation is omitted. Authenticated users with subscriber or higher privileges can upload any file to the server. An attacker could upload a PHP or other executable file and later access it through the web to run arbitrary code, thereby enabling remote code execution on the host.

Affected Systems

The affected product is the iqonicdesign Streamit WordPress theme. All released versions up to and including 4.0.1 are impacted. Users running Streamit 4.0.1 or earlier should upgrade to a newer release as soon as possible.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity vulnerability, and the EPSS score around 1% suggests a low but non‑zero chance of exploitation. Because the attack requires authenticated subscriber‑level access, attackers must first compromise or impersonate a legitimate user. Once a malicious file is uploaded, the absence of MIME type checks allows the attacker to serve it via the web, potentially leading to code execution or data exposure. The vulnerability is not listed in CISA’s KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

iqonicdesign

Streamit

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.0.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Streamit 4.1 or later, which removes the vulnerable upload code.
If an upgrade is not immediately possible, restrict uploaded files by applying a whitelist or disabling script execution in the upload directory via web server configuration or an .htaccess rule.
Review the uploads directory for existing malicious files and delete or neutralize them.

Generated by OpenCVE AI on April 21, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10392	The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01235.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://documentation.iqonic.design/streamit/change-log/streamit-v4-0/
https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881
https://www.wordfence.com/threat-intel/vulnerabilities/id/83a58119-d0ed-47fe-93d1-1aa1def2cf44?source=cve

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00563}`	epss `{'score': 0.00749}`

Tue, 08 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 08 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Title		Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

Tue, 08 Apr 2025 02:45:00 +0000

Type	Values Removed	Values Added
Description		The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Weaknesses		CWE-434
References		https://documentation.iqonic.design/streamit/change-log/streamit-v4-0/ https://themeforest.net/item/streamit-video-streaming-wordpress-theme/29772881 https://www.wordfence.com/threat-intel/vulnerabilities/id/83a58119-d0ed-47fe-93d1-1aa1def2cf44?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-04-08T01:44:21.589Z

Updated: 2026-04-08T17:04:12.517Z

Reserved: 2025-03-19T14:06:43.812Z

Link: CVE-2025-2525

Vulnrichment

Updated: 2025-04-08T14:20:51.053Z

NVD

Status : Deferred

Published: 2025-04-08T02:15:20.363

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2525

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object