Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Presto Player: from n/a through 4.1.3.
AnalysisAI
Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
CWE-862 (Missing Authorization) indicates the application performs a sensitive operation without first verifying that the requesting user has been granted permission to do so - distinct from authentication failures. Presto Player is a WordPress video and media player plugin developed by Brainstorm Force (CPE: cpe:2.3:a:brainstorm_force:presto_player:*:*:*:*:*:*:*:*). In WordPress plugins, this class of flaw typically manifests as REST API endpoints, AJAX handlers, or admin actions that check whether a user is logged in but omit a capability check (e.g., current_user_can()) to verify the user's role is authorized for the specific operation. The CVSS scope is Unchanged (S:U), meaning exploitation is contained within the plugin's own privilege boundary and does not allow lateral movement into WordPress core or the hosting OS.
RemediationAI
Update Presto Player to the first release beyond version 4.1.3 as published in the WordPress Plugin Repository - the exact fixed version is not independently confirmed in the available intelligence data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/presto-player/vulnerability/wordpress-presto-player-plugin-4-1-3-broken-access-control-vulnerability and the plugin's changelog for the precise patched release. As a compensating control prior to patching, administrators can restrict WordPress user registration to prevent untrusted low-privilege accounts from being created, reducing the attacker pool; however, this does not eliminate risk from existing subscriber-level accounts. Alternatively, temporarily deactivating the plugin eliminates exposure but disrupts all Presto Player video functionality on the site. No generic WAF rule can reliably block this class of missing authorization flaw without understanding the specific unprotected endpoint.
More in Presto Player
View allThe Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updatin
Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary Ja
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30885
GHSA-wx8m-hccf-5xj4