CVE-2026-39527 Overview
CVE-2026-39527 is an arbitrary file upload vulnerability in the WpStream WordPress plugin versions prior to 4.11.2. The flaw allows authenticated users with Subscriber-level privileges to upload arbitrary files to the WordPress installation. The vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.
The issue stems from missing or insufficient file type validation in the plugin's upload handling logic. Because WpStream is a video streaming and live broadcasting plugin used on monetized WordPress sites, low-privilege Subscriber accounts are commonly available through self-registration, broadening the attacker pool.
Critical Impact
Authenticated Subscriber accounts can upload arbitrary files to a WordPress site running WpStream below version 4.11.2, enabling content tampering and potential follow-on attacks against site integrity and availability.
Affected Products
- WpStream WordPress plugin versions earlier than 4.11.2
- WordPress sites permitting Subscriber-level registration with WpStream installed
- Sites operating WpStream's monetized streaming features prior to the patched release
Discovery Timeline
- 2026-06-15 - CVE-2026-39527 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-39527
Vulnerability Analysis
The vulnerability resides in WpStream's file upload handler, which is reachable by authenticated users holding the WordPress Subscriber role. Subscriber is the lowest-privilege authenticated role and is frequently exposed through open registration on streaming and membership sites.
The upload endpoint does not adequately restrict the file types accepted from Subscriber-level requests. As a result, an attacker can submit files outside the intended media scope. The CVSS vector reflects partial integrity and availability impact with no confidentiality loss, consistent with arbitrary write rather than remote code execution.
The Exploit Prediction Scoring System (EPSS) probability is 0.291%, indicating modeled near-term exploitation likelihood is currently low. No public proof-of-concept or in-the-wild exploitation has been reported through CISA KEV.
Root Cause
The root cause is insufficient validation of uploaded file attributes, mapping to CWE-434. The plugin trusts the authenticated request context without enforcing strict MIME type, extension allowlists, or capability checks appropriate to the Subscriber role. Authorization checks on the upload endpoint do not align with WordPress capability conventions for media operations.
Attack Vector
Exploitation requires network access to the WordPress site and valid Subscriber credentials. The attacker authenticates, then issues a crafted multipart upload request to the vulnerable WpStream endpoint. Because Subscriber registration is commonly self-service on streaming sites, attackers can provision their own accounts without administrator interaction.
The uploaded file is written to a location accessible from within the WordPress installation. Depending on server configuration and uploaded content, the file can be used for defacement, hosting of malicious payloads, or staging of subsequent attacks against site integrity.
For technical details, see the Patchstack WPStream Plugin Vulnerability advisory.
Detection Methods for CVE-2026-39527
Indicators of Compromise
- Unexpected files appearing in wp-content/uploads/ or WpStream-specific upload directories, particularly files with extensions outside standard media types.
- WordPress audit log entries showing file upload actions performed by accounts holding only the Subscriber role.
- Multipart POST requests from Subscriber sessions to WpStream AJAX or REST endpoints with anomalous Content-Type values.
Detection Strategies
- Review WordPress access logs for admin-ajax.php or REST API requests to WpStream actions originating from low-privilege user IDs.
- Compare files on disk in upload directories against the WordPress media library database to surface unregistered or orphaned files.
- Hash and inventory plugin upload directories, then alert on new files whose extensions or magic bytes do not match permitted media types.
Monitoring Recommendations
- Enable WordPress activity logging for user role changes, registrations, and media upload events tied to Subscriber accounts.
- Forward web server and PHP error logs to a centralized analytics platform and alert on upload anomalies from non-Editor accounts.
- Monitor file system events on wp-content/uploads/ paths used by WpStream for writes from the web server process.
How to Mitigate CVE-2026-39527
Immediate Actions Required
- Update the WpStream plugin to version 4.11.2 or later on every affected WordPress site.
- Audit existing Subscriber accounts and remove or disable any unrecognized registrations created before patching.
- Inspect wp-content/uploads/ and WpStream upload paths for files not associated with legitimate media library entries.
Patch Information
The vulnerability is fixed in WpStream version 4.11.2. Site administrators should install the update through the WordPress plugin dashboard or via WP-CLI. Refer to the Patchstack advisory for vendor patch details.
Workarounds
- Disable open Subscriber self-registration by unchecking Anyone can register under WordPress Settings > General until patching is complete.
- Restrict access to WpStream AJAX and REST endpoints at the web server or web application firewall layer for non-administrative roles.
- Enforce server-side MIME and extension allowlists on wp-content/uploads/ and deny execution of non-media file types in upload directories.
# Update WpStream to the patched release using WP-CLI
wp plugin update wpstream --version=4.11.2
# Verify installed version
wp plugin get wpstream --field=version
# Temporarily disable open registration until patched
wp option update users_can_register 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

