Skip to main content

Flash & HTML5 Video CVE-2026-57323

| EUVDEUVD-2026-39735 MEDIUM
Missing Authorization (CWE-862)
2026-06-26 audit@patchstack.com GHSA-3m22-fr69-7ch4
5.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
vuln.today AI
5.8 MEDIUM

Unauthenticated network exploitation with no complexity; scope change reflects cross-privilege data read; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:19 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.

AnalysisAI

Unauthenticated broken access control in the Flash & HTML5 Video WordPress plugin (versions <= 2.11.0) allows remote unauthenticated attackers to bypass authorization checks and access restricted resources, crossing a privilege boundary (CVSS Scope Changed) with limited confidentiality impact. Reported by Patchstack and catalogued under EUVD-2026-39735, this is a CWE-862 (Missing Authorization) flaw requiring no credentials, no user interaction, and no special complexity to exploit. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site for plugin
Delivery
Identify vulnerable plugin version ≤ 2.11.0
Exploit
Send unauthenticated HTTP request to unprotected endpoint
Execution
Bypass missing authorization check
Impact
Read restricted cross-scope data

Vulnerability AssessmentAI

Exploitation The Flash & HTML5 Video plugin must be installed and active on a WordPress site running a version at or below 2.11.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 5.8 (Medium) is consistent with the vector: network-accessible, no authentication, no interaction, but impact limited to partial confidentiality with scope change and no integrity or availability loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running Flash & HTML5 Video <= 2.11.0 (discoverable via plugin fingerprinting or WPScan) and sends a crafted HTTP request directly to the plugin's unprotected endpoint, omitting or forging authorization context. The missing capability check allows the request to succeed, returning restricted data such as private post content or plugin configuration - with no credentials, no interaction, and no exploit tooling required beyond a basic HTTP client. …
Remediation Update the Flash & HTML5 Video plugin to a version above 2.11.0 as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy