Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.
AnalysisAI
WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated users to modify data or trigger denial of service through insecure direct object references (IDOR) via user-controlled keys in access control checks. The vulnerability affects all versions up to 4.11.2 and requires low-privilege authentication to exploit, making it a moderate-risk issue for WordPress installations using this plugin despite the low EPSS score of 0.02%.
Technical ContextAI
The vulnerability stems from CWE-639 (Authorization Through User-Controlled Key), a class of authorization flaw where access control decisions are based on user-supplied parameters rather than server-side session or role validation. In WpStream, the plugin fails to properly validate that authenticated users can only access or modify resources belonging to their own account or appropriate privilege level. This is a common pattern in WordPress plugins where IDOR (Insecure Direct Object Reference) flaws arise when plugin code directly uses POST/GET parameters or user input to determine data ownership without cryptographic or server-side verification. The affected product is identified by CPE cpe:2.3:a:wpstream:wpstream:*:*:*:*:*:*:*:*, indicating all WpStream versions below 4.11.2 are in scope.
RemediationAI
Vendor-released patch: WpStream 4.11.2 addresses this authorization bypass by implementing proper server-side access control validation and eliminating reliance on user-controlled keys for authorization decisions. Site administrators running WpStream should upgrade to version 4.11.2 or later immediately. For installations that cannot immediately patch, disable the WpStream plugin until an upgrade is feasible to prevent exploitation by authenticated users. Verify the update through the WordPress plugin dashboard or via Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-insecure-direct-object-references-idor-vulnerability. Additional details are available via the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-39526.
Cross-Site Request Forgery (CSRF) vulnerability in wpstream WpStream plugin <= 4.4.10 versions. Rated high severity (CVS
Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticate
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20185
GHSA-hh4r-jcrc-4266