Description
Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
Published: 2026-06-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WpStream plugin accepts file uploads without proper type validation, as identified by CWE-434. The description notes that an attacker could upload any file through the plugin’s web interface. However, the CVE does not state that the uploaded file can be executed, so the impact is limited to arbitrary file upload.

Affected Systems

Installed instances of the WordPress WpStream plugin version 4.11.1 and earlier are vulnerable. Sites that allow regular subscribers or non‑administrator users to upload media via the plugin are especially exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity for a user interacting via the web, and the EPSS score of less than 1 % suggests the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. A remote attacker who can reach the site is able to upload a file through the plugin’s front‑end. The description does not confirm that uploaded scripts can be executed, but arbitrary file upload could potentially compromise the site.

Generated by OpenCVE AI on June 18, 2026 at 07:14 UTC.

Remediation

Vendor Solution

Update the WordPress WpStream Plugin to the latest available version (at least 4.11.2).


OpenCVE Recommended Actions

  • Upgrade the WordPress WpStream plugin to version 4.11.2 or newer.
  • Restrict upload permissions for non‑administrator users so that only trusted roles can submit files through the plugin.
  • Configure the server or the plugin to allow only a whitelist of safe file types and enforce strict size limits to block unintended uploads.
  • Consider deploying a web application firewall rule that blocks suspicious upload attempts or patterns indicative of malicious content.

Generated by OpenCVE AI on June 18, 2026 at 07:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Sc Internet Vivoo
Sc Internet Vivoo wpstream
Wordpress
Wordpress wordpress
Vendors & Products Sc Internet Vivoo
Sc Internet Vivoo wpstream
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Arbitrary File Upload in WpStream < 4.11.2 versions.
Title WordPress WpStream plugin < 4.11.2 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Sc Internet Vivoo Wpstream
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:20:56.739Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39527

cve-icon Vulnrichment

Updated: 2026-06-15T22:20:52.318Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:46.827

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:46Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type