CVE-2025-15096
Published: 11 February 2026
Summary
CVE-2025-15096 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent authenticated low-privilege users from modifying arbitrary user account details like email addresses.
Requires secure management and authorization of changes to user accounts, including validation before updating identifiers such as email used for password resets.
Limits privileges to ensure subscriber-level users cannot perform actions like changing administrator emails, mitigating escalation potential.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct authz bypass enables email modification on arbitrary accounts (T1098 Account Manipulation) to achieve privilege escalation via password reset (T1068 Exploitation for Privilege Escalation).
NVD Description
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details…
more
like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Deeper analysisAI
CVE-2025-15096 is a privilege escalation vulnerability via account takeover in the Videospirecore Theme Plugin for WordPress, affecting all versions up to and including 1.0.6. The issue arises because the plugin does not properly validate a user's identity before allowing updates to user details, such as email addresses. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to modify the email addresses of arbitrary users, including administrators. By changing an administrator's email, the attacker can then leverage WordPress's password reset functionality to gain full access to that account, effectively achieving account takeover and elevating their privileges.
Advisories from Wordfence provide detailed threat intelligence on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/bf152269-73e1-473f-8d97-ce94e9b885d0?source=cve, while the plugin's product page on ThemeForest is available at https://themeforest.net/item/videospire-video-streaming-ott-platform-wordpress-theme/39243225?s_rank=1.
Details
- CWE(s)