Description
Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WpStream plugin, when installed at a version lower than 4.11.2, permits an attacker to upload any file to the server through the plugin’s web interface. The vulnerability falls under CWE-434, meaning that the plugin accepts arbitrary file types without proper validation, which can be exploited to upload PHP or other executable scripts. Once the malicious file is on the server, the attacker can run it, leading to loss of confidentiality, integrity, and availability of the site and potentially the underlying server.

Affected Systems

Any WordPress installation that has the sc Internet Vivoo WpStream plugin version below 4.11.2 is affected. Sites that rely on the plugin for media handling or file streaming are especially at risk if they allow regular site users to upload content.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact with a user interacting via the web. The EPSS score of less than 1% suggests that exploitation likelihood is very low, and the vulnerability is not currently listed in the CISA KEV catalog. However, because the flaw allows file uploads from users with subscriber-level permissions, a remote attacker who can reach the site could exploit the flaw; once a malicious script is uploaded, remote code execution can occur. The problem is mitigated by applying the official solution of updating the plugin to version 4.11.2 or later.

Generated by OpenCVE AI on June 16, 2026 at 22:28 UTC.

Remediation

Vendor Solution

Update the WordPress WpStream Plugin to the latest available version (at least 4.11.2).

OpenCVE Recommended Actions

  • Apply the vendor provided patch by upgrading the WpStream plugin to at least version 4.11.2.
  • Configure the plugin or server to accept only whitelisted file types and enforce size limits on uploads to prevent future arbitrary file uploads.
  • Disable or limit upload capabilities for non‑administrative users until a secure update can be applied; consider implementing a web application firewall rule to block suspicious upload attempts.

Generated by OpenCVE AI on June 16, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
Title WordPress WpStream plugin < 4.11.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:20:56.739Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39527

cve-icon Vulnrichment

Updated: 2026-06-15T22:20:52.318Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:46.827

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type