Skip to main content

Wpstream EUVDEUVD-2026-20185

| CVE-2026-39526 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 Patchstack GHSA-hh4r-jcrc-4266
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 15:22 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
5.4 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20185
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.

AnalysisAI

WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated users to modify data or trigger denial of service through insecure direct object references (IDOR) via user-controlled keys in access control checks. The vulnerability affects all versions up to 4.11.2 and requires low-privilege authentication to exploit, making it a moderate-risk issue for WordPress installations using this plugin despite the low EPSS score of 0.02%.

Technical ContextAI

The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), a class of authorization flaw where access control decisions are based on user-supplied parameters rather than server-side session or role validation. In WpStream, the plugin fails to properly validate that authenticated users can only access or modify resources belonging to their own account or appropriate privilege level. This is a common pattern in WordPress plugins where IDOR (Insecure Direct Object Reference) flaws arise when plugin code directly uses POST/GET parameters or user input to determine data ownership without cryptographic or server-side verification. The affected product is identified by CPE cpe:2.3:a:wpstream:wpstream:*:*:*:*:*:*:*:*, indicating all WpStream versions below 4.11.2 are in scope.

RemediationAI

Vendor-released patch: WpStream 4.11.2 addresses this authorization bypass by implementing proper server-side access control validation and eliminating reliance on user-controlled keys for authorization decisions. Site administrators running WpStream should upgrade to version 4.11.2 or later immediately. For installations that cannot immediately patch, disable the WpStream plugin until an upgrade is feasible to prevent exploitation by authenticated users. Verify the update through the WordPress plugin dashboard or via Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-insecure-direct-object-references-idor-vulnerability. Additional details are available via the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-39526.

Share

EUVD-2026-20185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy