PatchSiren cyber security CVE debrief
CVE-2026-39527 sc Internet Vivoo CVE debrief
CVE-2026-39527 is a medium severity vulnerability (CVSS Score: 5.4) affecting WpStream plugin versions prior to 4.11.2. The vulnerability allows subscribers to upload arbitrary files. The CVE was published on June 15, 2026, at 21:16:46 UTC and last modified on the same day at 21:24:32 UTC.
- Vendor
- sc Internet Vivoo
- Product
- WpStream
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WpStream plugin versions prior to 4.11.2 should apply the patch to prevent subscribers from uploading arbitrary files.
Technical summary
The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L and is classified under CWE-434. It allows low-privileged users (subscribers) to upload files without proper restrictions, potentially leading to integrity and availability impacts.
Defensive priority
Medium
Recommended defensive actions
- Update WpStream plugin to version 4.11.2 or later.
- Review and restrict file upload permissions for subscribers.
Evidence notes
Evidence suggests that the vulnerability was reported by [email protected].
Official resources
-
CVE-2026-39527 CVE record
CVE.org
-
CVE-2026-39527 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39527 was published on June 15, 2026, and last modified on the same day, according to the CVE.org and NVD records.