Description
Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress upstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through <= 2.1.1.
Published: 2025-06-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check that allows a user with inadequate permissions to bypass access controls within the UpStream Project Management plugin. As a result, an attacker could potentially view, modify, or delete project information, compromising data confidentiality and integrity. The weakness is identified as CWE‑862 – Missing Authorization.

Affected Systems

The affected system is the UpStream Project Management plugin for WordPress, versions up to and including 2.1.1. No other vendors or products are affected according to the CNA data.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% signals a low probability of exploitation. The vulnerability is not listed in CISA keV. The likely attack vector is a web‑based request to the plugin’s endpoints that rely on incorrect security level configuration; based on the description, it is inferred that an attacker would need to identify a target site running the vulnerable plugin and craft a request to exploit the access control flaw.

Generated by OpenCVE AI on April 30, 2026 at 10:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the UpStream plugin to the latest version (2.1.2 or newer) to remove the missing authorization check.
  • Validate that the plugin’s access control settings correctly restrict project manipulation to appropriate user roles.
  • If an upgrade is not immediately feasible, consider disabling the plugin or limiting its use to trusted users only.

Generated by OpenCVE AI on April 30, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18942 Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0. Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress upstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through <= 2.1.1.
Title WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.1 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 23 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.
Title WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.0 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:13.985Z

Reserved: 2025-06-11T16:07:48.984Z

Link: CVE-2025-49974

cve-icon Vulnrichment

Updated: 2025-06-23T20:54:12.848Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:22.807

Modified: 2026-04-23T15:31:54.160

Link: CVE-2025-49974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:45:26Z

Weaknesses