This vulnerability is a missing authorization flaw that enables users to circumvent role‑based access restrictions within the WordPress WpStream plugin. An attacker who can trigger the affected function may view or modify content that should be restricted, leading to unauthorized disclosure or tampering of protected data. The core weakness is an Authorization error, classified as CWE‑862.

WordPress sites running the WpStream plugin, versions up to and including 4.9.5, are impacted. The vulnerability applies to all users of any role if the plugin’s access controls are not correctly configured within the site’s WordPress installation.

The CVSS score of 5.3 situates this issue in the moderate severity range, suggesting potential for meaningful impact if exploited. The EPSS score is reported as less than 1%, indicating a low likelihood of exploitation in the near term, yet there is no known public exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via web interface interactions—an adversary may submit crafted requests or manipulate the plugin interface while logged in with any WordPress role, thereby gaining elevated privileges. The fault manifests only if the plugin’s security levels are misconfigured, implying that sites with default or improperly set permissions are at greatest risk.