Skip to main content

Wpstream

3 CVEs product

Monthly

CVE-2026-39527 MEDIUM PATCH This Month

Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.

File Upload Wpstream
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-39526 MEDIUM This Month

WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated users to modify data or trigger denial of service through insecure direct object references (IDOR) via user-controlled keys in access control checks. The vulnerability affects all versions up to 4.11.2 and requires low-privilege authentication to exploit, making it a moderate-risk issue for WordPress installations using this plugin despite the low EPSS score of 0.02%.

Authentication Bypass Wpstream
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2023-27458 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in wpstream WpStream plugin <= 4.4.10 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wpstream
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.

File Upload Wpstream
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated users to modify data or trigger denial of service through insecure direct object references (IDOR) via user-controlled keys in access control checks. The vulnerability affects all versions up to 4.11.2 and requires low-privilege authentication to exploit, making it a moderate-risk issue for WordPress installations using this plugin despite the low EPSS score of 0.02%.

Authentication Bypass Wpstream
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in wpstream WpStream plugin <= 4.4.10 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Wpstream
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy