CVE-2026-39526
Authorization Bypass in WpStream via User-Controlled Key
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpstream | wpstream | to 4.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39526 is an Insecure Direct Object References (IDOR) vulnerability in the WordPress WpStream Plugin versions prior to 4.11.2.
This vulnerability allows unauthorized users to bypass authorization and authentication controls by exploiting incorrectly configured access control security levels.
As a result, attackers with as low privilege as a subscriber or developer role can potentially gain access to sensitive files, folders, or database interactions that they should not be able to access.
The issue falls under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data or resources within the WpStream plugin environment.
Attackers exploiting this flaw can bypass access controls, potentially exposing files, folders, or database information that should be protected.
Although the CVSS severity score is 5.4 (low severity), the vulnerability can be exploited in mass campaigns targeting many websites, regardless of their traffic or popularity.
The required privilege level to exploit this vulnerability is low, increasing the risk of unauthorized access.
Timely updating to version 4.11.2 or later is strongly recommended to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-39526 vulnerability is an Insecure Direct Object References (IDOR) issue in the WordPress WpStream Plugin versions prior to 4.11.2, allowing unauthorized users to bypass authorization controls.
There is no specific information provided about detection methods or commands to identify exploitation attempts or presence of this vulnerability on your network or system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39526 vulnerability allows unauthorized users to bypass authorization and authentication controls, potentially granting access to sensitive files, folders, or database interactions.
Such unauthorized access could lead to exposure of sensitive personal or protected health information, which may result in non-compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.
Although the vulnerability has a low severity score (5.4) and is unlikely to be exploited with high impact, failure to patch it could increase the risk of data breaches, thereby affecting compliance with these regulations.
Timely updating to version 4.11.2 or later is strongly recommended to mitigate this risk and maintain compliance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are strongly advised to update the WordPress WpStream Plugin to version 4.11.2 or later, where the issue has been patched.
Patchstack also offers mitigation solutions such as auto-updates for vulnerable plugins to provide rapid protection.
Since the required privilege level to exploit this vulnerability is as low as a subscriber or developer role, timely updating is critical to prevent unauthorized access.