How to fix CVE-2025-15096?

Within 24 hours: Identify all WordPress installations using Videospirecore Theme Plugin versions 1.0.6 and below; disable the plugin immediately on all affected systems. Within 7 days: Audit user account activity for unauthorized email changes or password resets; review administrator account access logs for suspicious activity. Within 30 days: Monitor vendor for patch release; develop and test patch deployment procedures; after patch availability, prioritize updating all affected installations.

Is PHP affected by CVE-2025-15096?

The Videospirecore Theme Plugin contains a critical privilege escalation vulnerability that allows low-level users to hijack administrator accounts by changing email addresses and resetting passwords.

CVE-2025-15096

HIGH

2026-02-11 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 11, 2026 - 10:15 nvd

HIGH 8.8

Description

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Analysis

Technical Context

This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) affects plugin. The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to t

Affected Products

Product: plugin. Versions: up to 1.0.6..

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-15096 vulnerability details – vuln.today

Back

CVE-2025-15096

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15096

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code