{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39526", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:09.605Z", "datePublished": "2026-04-08T08:30:16.335Z", "dateUpdated": "2026-04-08T08:30:16.335Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpstream", "product": "WpStream", "vendor": "wpstream", "versions": [{"changes": [{"at": "4.11.2", "status": "unaffected"}], "lessThanOrEqual": "4.11.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Sharief | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:00.627Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WpStream: from n/a through < 4.11.2.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:16.335Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress WpStream plugin < 4.11.2 - Insecure Direct Object References (IDOR) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2."}], "id": "CVE-2026-39526", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:25.940", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-11-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.11.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "4.11.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WpStream", "source": "cna", "vendor": "wpstream"}, "product": "wpstream", "vendor": "wpstream"}], "analysis": {"en": {"generated_at": "2026-04-08T11:08:50.696500+00:00", "value": {"mitigation_remediation": ["Upgrade wpstream to version 4.11.2 or later", "If an upgrade is not feasible, disable the plugin or remove it entirely", "Ensure that the plugin\u2019s URLs and AJAX endpoints are protected by proper capability checks", "Restrict public access to any media or stream URLs that could be enumerated by an attacker", "Monitor server logs for suspicious requests targeting wpstream endpoints"], "summary": {"action": "Apply Patch Immediately", "impact": "Insecure Direct Object Reference allowing unauthorized access"}, "threat_synthesis": {"affected_systems": "The flaw exists in all released versions of the wpstream plugin from the earliest documented release up through any version prior to 4.11.2. Any WordPress site that has installed wpstream earlier than 4.11.2 and has the plugin enabled is affected. Site owners must verify that their installed version is 4.11.2 or newer to be out of scope.", "description_and_impact": "The wpstream plugin for WordPress contains an IDOR flaw. An attacker can inject a user\u2011controlled key into requests, bypassing internal access controls. This can allow reading or modifying protected media or stream data that should be associated only with a specific user. The vulnerability is a classic authorization bypass (CWE\u2011639).", "risk_and_exploitability": "No official CVSS or EPSS score has been published, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploits are publicly known. However, because the flaw permits direct manipulation of identifiers that bypass user role checks, the risk is moderate to high for sites that expose the plugin\u2019s endpoints to unauthenticated visitors. An attacker would need to target a wpstream URL and supply a tampered key; when the internal check is bypassed, the attacker could retrieve or alter data belonging to other users."}}}}, "created": "2026-04-08T19:30:27.675533+00:00", "updated": "2026-04-08T19:42:44.323615+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpstream", "wpstream$PRODUCT$wpstream"]}