Impact
The WpStream plugin accepts file uploads without proper type validation, as identified by CWE-434. The description notes that an attacker could upload any file through the plugin’s web interface. However, the CVE does not state that the uploaded file can be executed, so the impact is limited to arbitrary file upload.
Affected Systems
Installed instances of the WordPress WpStream plugin version 4.11.1 and earlier are vulnerable. Sites that allow regular subscribers or non‑administrator users to upload media via the plugin are especially exposed.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity for a user interacting via the web, and the EPSS score of less than 1 % suggests the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. A remote attacker who can reach the site is able to upload a file through the plugin’s front‑end. The description does not confirm that uploaded scripts can be executed, but arbitrary file upload could potentially compromise the site.
OpenCVE Enrichment