The vulnerability is a missing authorization flaw that allows an attacker to exploit improperly configured access‑control security settings within the wpstream plugin. This flaw does not provide arbitrary code execution but can let a malicious actor access privileged content or perform actions they should not be permitted to, thereby compromising confidentiality and potentially allowing unauthorized data retrieval or manipulation.

This issue affects the WordPress plugin WpStream, from the earliest released version up through and including version 4.9.5. All installations running any of these versions are potentially vulnerable, regardless of the WordPress core version. No specific WordPress version requirement is noted.

The CVSS score of 4.3 categorizes the vulnerability as moderate severity, while the EPSS score of less than 1% points to a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, and there is currently no evidence of active exploitation in the wild. The likely attack vector is remote, via the web interface of the plugin, taking advantage of insufficient authorization checks. Due to the moderate score and low exploitation probability, this issue represents a lower‑to‑moderate risk that still warrants remediation to prevent potential unauthorized data access.