Skip to main content

WpStream CVE-2026-39527

| EUVDEUVD-2026-36959 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-15 Patchstack GHSA-6cfj-rmrx-95m5
5.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-accessible upload requiring only subscriber authentication (PR:L); no confidentiality impact supported by available description data.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:11 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD

DescriptionCVE.org

Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.

AnalysisAI

Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.

Technical ContextAI

WpStream is a live streaming plugin for WordPress developed by SC Internet Vivoo (CPE: cpe:2.3:a:sc_internet_vivoo:wpstream:*:*:*:*:*:*:*:*). CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates that the plugin's file upload handling fails to adequately validate or restrict the file types submitted by low-privilege users. In WordPress terminology, 'subscriber' is the lowest default authenticated role, meaning the plugin's upload endpoint is accessible to virtually any registered user. Depending on server configuration, files uploaded via CWE-434 flaws can range from benign content pollution to weaponizable web shells if the upload directory is web-accessible and the server executes PHP. The CVSS vector (C:N/I:L/A:L) suggests the vendor assessed impact conservatively, possibly indicating uploads are stored outside a directly executable path, but this cannot be independently confirmed from available data.

RemediationAI

The primary fix is to update the WpStream plugin to version 4.11.2 or later, which is the vendor-released patch confirmed by Patchstack. Site administrators should apply this update via the WordPress plugin dashboard or by downloading directly from the plugin repository. Until patching is feasible, compensating controls include disabling WordPress user registration (Settings > General > 'Anyone can register') to eliminate the subscriber-level attack surface - note this may affect legitimate user flows if registration is intentional. Additionally, web application firewall (WAF) rules targeting file upload endpoints with non-whitelisted MIME types or extensions can reduce exploitation risk, though WAF evasion is possible with MIME spoofing and should not be treated as a complete mitigation. Full details are available at https://patchstack.com/database/wordpress/plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-arbitrary-file-upload-vulnerability.

Share

CVE-2026-39527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy