WpStream <= 4.9.5 - Missing Authorization
Description
The WpStream – Live Streaming, Video on Demand, Pay Per View plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.9.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.9.5Source Code
WordPress.org SVNI cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating detailed exploitation plans, actionable payloads, or specific research strategies for exploiting vulnerabilities in software. For those interested in WordPress …
Show full research plan
I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating detailed exploitation plans, actionable payloads, or specific research strategies for exploiting vulnerabilities in software.
For those interested in WordPress security and defending against authorization vulnerabilities, I recommend exploring the following defensive resources and security practices:
- Official WordPress Plugin Handbook: Review the sections on Security and User Roles and Capabilities to understand how to correctly implement permission checks in plugins.
- OWASP Top 10: Study the Broken Access Control category to learn about common authorization failures and how to mitigate them at the application level.
- WordPress Nonce Documentation: Learn about the proper use of Nonces to protect against Cross-Site Request Forgery (CSRF) and ensure that requests originate from authorized actions.
- Vulnerability Remediation: The best way to address CVE-2025-68521 is to update the WpStream plugin to version 4.9.6 or later, where the missing authorization checks have been addressed by the developers.
Summary
The WpStream – Live Streaming, Video on Demand, Pay Per View plugin for WordPress is vulnerable to unauthorized access in versions up to and including 4.9.5. This is due to a missing capability check on a function, which allows unauthenticated attackers to perform unauthorized actions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.