[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmUITKVoGCLr8H2-NW_G_X_5xwCi7pd8hZGsWdZ9tE4Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39527","wpstream-live-streaming-video-on-demand-pay-per-view-authenticated-subscriber-arbitrary-file-upload","WpStream – Live Streaming, Video on Demand, Pay Per View \u003C 4.11.2 - Authenticated (Subscriber+) Arbitrary File Upload","The WpStream – Live Streaming, Video on Demand, Pay Per View plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 4.11.2 (exclusive). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","wpstream",null,"\u003C4.11.2","4.11.2","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2026-04-17 00:00:00","2026-04-21 15:04:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcf4efae5-d8ea-4c94-bc8a-c73615f2fe62?source=api-prod",5,[22,23,24,25,26,27,28,29],"hello-wpstream\u002Felementor\u002Fwpstream-elementor-functions.php","hello-wpstream\u002Fframework\u002Fajax-upload.php","hello-wpstream\u002Fframework\u002Fclasses\u002Fclass-wpstream-login-register.php","hello-wpstream\u002Fframework\u002Fwpstream-help-functions.php","hello-wpstream\u002Fjs\u002Fajax-upload.js","includes\u002Fclass-wpstream-ajax.php","integrations\u002Fhello-wpstream\u002Ftheme-import.php","public\u002Fclass-wpstream-public.php","researched",false,3,"# CVE-2026-39527: WpStream Arbitrary File Upload Research Plan\n\n## 1. Vulnerability Summary\nThe **WpStream** plugin for WordPress (versions up to 4.11.2) is vulnerable to an **Authenticated Arbitrary File Upload** vulnerability. The vulnerability exists in the `wpstream_me_upload` AJAX action handler located in `hello-wpstream\u002Fframework\u002Fajax-upload.php`. \n\nThe handler fails to:\n1.  Perform a **nonce check** (CSRF protection).\n2.  Perform a **capability check** (beyond being logged in).\n3.  Restrict uploaded file types to safe extensions, relying on a call to `wp_handle_upload` with insufficient overrides, which in the context of this plugin's configuration allows dangerous file types (like `.php`) to be uploaded by users with Subscriber-level permissions.\n\n## 2. Attack Vector Analysis\n-   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n-   **Action:** `wpstream_me_upload`\n-   **Method:** `POST` (multipart\u002Fform-data)\n-   **Authentication:** Required (Subscriber or higher)\n-   **Vulnerable Parameter:** `aaiu_upload_file` (file upload field)\n-   **Preconditions:** None, other than a valid Subscriber account.\n\n## 3. Code Flow\n1.  **Entry Point:** The AJAX action `wp_ajax_wpstream_me_upload` triggers the function `wpstream_me_upload()` in `hello-wpstream\u002Fframework\u002Fajax-upload.php`.\n2.  **Authentication Check:** Line 15: `if ( ! is_user_logged_in() ) { exit( 'ko' ); }`. This ensures only authenticated users can proceed, but fails to check for specific capabilities (e.g., `upload_files`).\n3.  **Missing Nonce Check:** Line 19: The code explicitly ignores nonce verification: `\u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Missing`.\n4.  **File Preparation:** Lines 19-25: The script takes the file from `$_FILES['aaiu_upload_file']` and prepares it for processing.\n5.  **Processing:** Calls `wpstream_fileupload_process( $file, $button_id )`.\n6.  **Handling:** `wpstream_fileupload_process` calls `wpstream_handle_file( $file, $button_id )`.\n7.  **SINK:** Line 96 in `wpstream_handle_file()`:\n    ```php\n    $uploaded_file = wp_handle_upload( $upload_data, array( 'test_form' => false ) );\n    ```\n    The `test_form => false` override instructs WordPress to skip the verification of the POST submission origin. Because the plugin does not provide a restricted list of allowed MIME types in the overrides, it relies on the global configuration which, in the case of this vulnerable plugin, allows Subscriber-level","The WpStream plugin for WordPress is vulnerable to arbitrary file uploads via the wpstream_me_upload AJAX action. Authenticated users with subscriber-level permissions can upload dangerous file types, including PHP scripts, because the plugin fails to perform nonce checks, capability checks, or restrict uploaded file extensions, potentially leading to remote code execution.","\u002F\u002F hello-wpstream\u002Fframework\u002Fajax-upload.php:12\nfunction wpstream_me_upload() {\n\tif ( ! is_user_logged_in() ) {\n\t\texit( 'ko' );\n\t}\n\n\t$button_id = isset( $_POST['button_id'] ) ? sanitize_text_field( $_POST['button_id'] ) : '';\n\n\t$file = array( \u002F\u002Fphpcs:ignore WordPress.Security.NonceVerification.Missing\n\t\t'name'     => isset( $_FILES['aaiu_upload_file']['name'] ) ? sanitize_file_name( $_FILES['aaiu_upload_file']['name'] ) : '',\n\t\t'type'     => $_FILES['aaiu_upload_file']['type'],\n\t\t'tmp_name' => $_FILES['aaiu_upload_file']['tmp_name'],\n\t\t'error'    => $_FILES['aaiu_upload_file']['error'],\n\t\t'size'     => $_FILES['aaiu_upload_file']['size'],\n\t);\n\n\twpstream_fileupload_process( $file, $button_id);\n}\n\n---\n\n\u002F\u002F hello-wpstream\u002Fframework\u002Fajax-upload.php:94\nfunction wpstream_handle_file( $upload_data, $button_id = '' ) {\n\t$return        = false;\n\t$uploaded_file = wp_handle_upload( $upload_data, array( 'test_form' => false ) );\n\n\tif ( isset( $uploaded_file['file'] ) ) {\n\t\t$file_loc  = $uploaded_file['file'];\n\t\t$file_name = basename( $upload_data['name'] );\n\t\t$file_type = wp_check_filetype( $file_name );\n\n\t\t$attachment = array(\n\t\t\t'post_mime_type' => $file_type['type'],\n\t\t\t'post_title'     => preg_replace( '\u002F\\.[^.]+$\u002F', '', basename( $file_name ) ),\n\t\t\t'post_content'   => '',\n\t\t\t'post_status'    => 'inherit',\n\t\t);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpstream\u002F4.11.1\u002Fhello-wpstream\u002Fframework\u002Fajax-upload.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpstream\u002F4.11.2\u002Fhello-wpstream\u002Fframework\u002Fajax-upload.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpstream\u002F4.11.1\u002Fhello-wpstream\u002Fframework\u002Fajax-upload.php\t2025-07-29 05:15:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpstream\u002F4.11.2\u002Fhello-wpstream\u002Fframework\u002Fajax-upload.php\t2026-03-16 07:07:36.000000000 +0000\n@@ -10,8 +10,10 @@\n  * Handles AJAX request for file upload.\n  *\u002F\n function wpstream_me_upload() {\n-\tif ( ! is_user_logged_in() ) {\n-\t\texit( 'ko' );\n+\tcheck_ajax_referer( 'aaiu_allow', 'nonce' );\n+\n+\tif ( ! is_user_logged_in() || ! current_user_can( 'upload_files' ) ) {\n+\t\twp_send_json_error( array( 'message' => 'You are not allowed to upload files.' ), 403 );\n \t}\n \n \t$button_id = isset( $_POST['button_id'] ) ? sanitize_text_field( $_POST['button_id'] ) : '';\n@@ -24,7 +26,7 @@\n \t\t'size'     => $_FILES['aaiu_upload_file']['size'],\n \t);\n \n-\twpstream_fileupload_process( $file, $button_id);\n+\twpstream_fileupload_process( $file, $button_id );\n }","To exploit this vulnerability, an attacker must first obtain subscriber-level credentials. Using an authenticated session, the attacker sends a multipart\u002Fform-data POST request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with the 'action' parameter set to 'wpstream_me_upload'. The malicious payload is placed in the 'aaiu_upload_file' parameter, which can contain a PHP script (e.g., shell.php). Because the plugin lacks a capability check (current_user_can('upload_files')) and does not verify nonces, the server processes the file via wp_handle_upload() with the 'test_form' check disabled. This allows the attacker to place a PHP file on the server and subsequently access it to execute arbitrary code.","gemini-3-flash-preview","2026-04-27 14:18:31","2026-04-27 14:19:27",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.11.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpstream\u002Ftags\u002F4.11.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpstream.4.11.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpstream\u002Ftags\u002F4.11.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpstream.4.11.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpstream\u002Ftags"]