Skip to main content

Presto Player CVE-2026-45442

| EUVDEUVD-2026-30885 MEDIUM
Missing Authorization (CWE-862)
2026-05-19 Patchstack GHSA-wx8m-hccf-5xj4
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 12:03 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Presto Player: from n/a through 4.1.3.

AnalysisAI

Broken access control in Brainstorm Force's Presto Player WordPress plugin (through version 4.1.3) allows authenticated low-privilege users to bypass authorization checks and read restricted data. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is network-exploitable by any authenticated WordPress user with no interaction required, though impact is limited to low confidentiality exposure with no integrity or availability consequences. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

CWE-862 (Missing Authorization) indicates the application performs a sensitive operation without first verifying that the requesting user has been granted permission to do so - distinct from authentication failures. Presto Player is a WordPress video and media player plugin developed by Brainstorm Force (CPE: cpe:2.3:a:brainstorm_force:presto_player:*:*:*:*:*:*:*:*). In WordPress plugins, this class of flaw typically manifests as REST API endpoints, AJAX handlers, or admin actions that check whether a user is logged in but omit a capability check (e.g., current_user_can()) to verify the user's role is authorized for the specific operation. The CVSS scope is Unchanged (S:U), meaning exploitation is contained within the plugin's own privilege boundary and does not allow lateral movement into WordPress core or the hosting OS.

RemediationAI

Update Presto Player to the first release beyond version 4.1.3 as published in the WordPress Plugin Repository - the exact fixed version is not independently confirmed in the available intelligence data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/presto-player/vulnerability/wordpress-presto-player-plugin-4-1-3-broken-access-control-vulnerability and the plugin's changelog for the precise patched release. As a compensating control prior to patching, administrators can restrict WordPress user registration to prevent untrusted low-privilege accounts from being created, reducing the attacker pool; however, this does not eliminate risk from existing subscriber-level accounts. Alternatively, temporarily deactivating the plugin eliminates exposure but disrupts all Presto Player video functionality on the site. No generic WAF rule can reliably block this class of missing authorization flaw without understanding the specific unprotected endpoint.

Share

CVE-2026-45442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy