Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-accessible upload requiring only subscriber authentication (PR:L); no confidentiality impact supported by available description data.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
AnalysisAI
Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.
Technical ContextAI
WpStream is a live streaming plugin for WordPress developed by SC Internet Vivoo (CPE: cpe:2.3:a:sc_internet_vivoo:wpstream:*:*:*:*:*:*:*:*). CWE-434 (Unrestricted Upload of File with Dangerous Type) indicates that the plugin's file upload handling fails to adequately validate or restrict the file types submitted by low-privilege users. In WordPress terminology, 'subscriber' is the lowest default authenticated role, meaning the plugin's upload endpoint is accessible to virtually any registered user. Depending on server configuration, files uploaded via CWE-434 flaws can range from benign content pollution to weaponizable web shells if the upload directory is web-accessible and the server executes PHP. The CVSS vector (C:N/I:L/A:L) suggests the vendor assessed impact conservatively, possibly indicating uploads are stored outside a directly executable path, but this cannot be independently confirmed from available data.
RemediationAI
The primary fix is to update the WpStream plugin to version 4.11.2 or later, which is the vendor-released patch confirmed by Patchstack. Site administrators should apply this update via the WordPress plugin dashboard or by downloading directly from the plugin repository. Until patching is feasible, compensating controls include disabling WordPress user registration (Settings > General > 'Anyone can register') to eliminate the subscriber-level attack surface - note this may affect legitimate user flows if registration is intentional. Additionally, web application firewall (WAF) rules targeting file upload endpoints with non-whitelisted MIME types or extensions can reduce exploitation risk, though WAF evasion is possible with MIME spoofing and should not be treated as a complete mitigation. Full details are available at https://patchstack.com/database/wordpress/plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-arbitrary-file-upload-vulnerability.
Cross-Site Request Forgery (CSRF) vulnerability in wpstream WpStream plugin <= 4.4.10 versions. Rated high severity (CVS
WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated us
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36959
GHSA-6cfj-rmrx-95m5