CVE-2026-39527

Vulnerability

The WpStream plugin for WordPress versions prior to 4.11.2 contains an arbitrary file upload vulnerability [1]. Authenticated users with the Subscriber role can upload any file type, including executable scripts, to the server. No additional configuration is required; the code path is reachable when the plugin is active and the user is logged in as a subscriber or higher.

Exploitation

An attacker needs only a valid WordPress subscriber account. They can then craft an HTTP request to the file upload endpoint of the WpStream plugin, bypassing file type restrictions. The attacker uploads a malicious file (e.g., a PHP backdoor) which is stored on the server.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the server. This can lead to complete site compromise, including data theft, defacement, or use of the site for further attacks. The attacker gains the privilege level of the web server, potentially escalating from a subscriber to full administrative access.

Mitigation

The vulnerability is fixed in version 4.11.2 of the WpStream plugin [1]. Users should update to this version or later immediately. If unable to update, Patchstack offers a virtual mitigation rule to block attacks. The vulnerability is expected to be exploited in mass campaigns [1].