CVE-2025-2525

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'stAuthenticationController::editprofile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above...

CVE-2025-2526

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'stAuthenticationController::editprofile'...

CVE-2025-2525

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'stAuthenticationController::editprofile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above...

CVE-2025-2519

CVE-2025-2519 affects the Streamit WordPress theme and permits authenticated (Subscriber+) users to download arbitrary files due to insufficient validation in the st_send_download_file function. Affected versions: all up to 4.0.1. The vulnerability has been patched by the vendor; upgrading to the...

CVE-2025-2525 Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'stAuthenticationController::editprofile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above...

CVE-2025-2519 Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Download

The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'stsenddownloadfile' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

CVE-2025-2525

The CVE-2025-2525 entry concerns the WordPress Streamit theme. Public detail confirms an Arbitrary File Upload flaw caused by missing file-type validation in st_Authentication_Controller::edit_profile, affecting all versions up to 4.0.1. The vulnerability requires authentication at Subscriber lev...

CVE-2025-2519 Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Download

The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'stsenddownloadfile' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

CVE-2025-2526 Streamit <= 4.0.2 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'stAuthenticationController::editprofile'...

CVE-2025-2526 Streamit <= 4.0.2 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'stAuthenticationController::editprofile'...

CVE-2025-2526

CVE-2025-2526 affects the Streamit WordPress theme. The vulnerability allows privilege escalation via account takeover because st_Authentication_Controller::edit_profile does not properly validate the user before updating details (e.g., email), enabling unauthenticated attackers to change user em...

WordPress plugin Streamit 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue...

PT-2025-15317 · WordPress · Streamit

Name of the Vulnerable Software and Affected Versions: Streamit theme for WordPress versions up to, and including, 4.0.1 Description: The issue is related to arbitrary file uploads due to missing file type validation in the st Authentication Controller::edit profile function. This allows...

WordPress plugin Streamit 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2025-15316 · WordPress · Streamit

Name of the Vulnerable Software and Affected Versions: Sreamit theme for WordPress versions prior to 4.0.2 Description: The issue is related to insufficient file validation in the st send download file function, allowing authenticated attackers with subscriber-level access or higher to download...

PT-2025-15318 · WordPress · Streamit

Name of the Vulnerable Software and Affected Versions: Streamit theme for WordPress versions prior to 4.0.3 Description: The issue allows for privilege escalation via account takeover due to improper validation of a user's identity prior to updating their details, such as email, in the st...

WordPress Streamit plugin <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Download vulnerability

Authenticated Subscriber+ Arbitrary File Download vulnerability discovered by István Márton in WordPress Theme Streamit versions = 4.0.1...

WordPress Streamit plugin <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by István Márton in WordPress Theme Streamit versions = 4.0.1...

WordPress Streamit plugin <= 4.0.2 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover vulnerability

Authenticated Subscriber+ Privilege Escalation via User Email Change/Account Takeover vulnerability discovered by István Márton in WordPress Theme Streamit versions = 4.0.2...

WordPress Streamit Theme <= 4.0.1 is vulnerable to Arbitrary File Download

Software Streamit Type Theme Vulnerable versions = 4.0.1 Fixed in 4.0.2 OWASP Top 10 A3: Injection Classification Arbitrary File Download CVE CVE-2025-2519 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID 446a13c89b70 Credits István Márton Required privilege Subscriber...