VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 7 known issues Latest disclosed Feb 14, 2025

Stream Vulnerabilities

Review known vulnerability records for the WordPress plugin Stream (`stream`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-13879, CVE-2024-7423 and CVE-2022-43450, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
7
High or Critical
3
Patch Coverage
100%
Last Updated
Feb 17, 2025
Priority CVE Quick Links

Fast paths into Stream CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
6
CVE-2024-7423 High 4.0.2
CVE-2024-7423 Stream Cross-Site Request Forgery

Stream <= 4.0.1 - Cross-Site Request Forgery to Arbitrary Options Update

CVE-2021-24772 High 3.8.2
CVE-2021-24772 Stream SQL Injection

Stream <= 3.8.1 - Admin+ SQL Injection

CVE-2024-13879 Medium 4.1.0
CVE-2024-13879 Stream Server-Side Request Forgery

Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery

CVE-2022-43450 Medium 3.9.3
CVE-2022-43450 Stream Vulnerability

Stream <= 3.9.2 - Missing Authorization via load_alerts_settings

CVE-2022-43490 Medium 3.9.3
CVE-2022-43490 Stream Cross-Site Request Forgery

Stream <= 3.9.2 - Cross-Site Request Forgery

CVE-2022-4384 Medium 3.9.2
CVE-2022-4384 Stream Authorization Bypass

Stream <= 3.9.1 - Missing Authorization to Sensitive Information Disclosure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Stream so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
7 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 3 high severity findings.
Recent CVEs
CVE-2024-13879, CVE-2024-7423 and CVE-2022-43450
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Stream

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-13879
CVE-2024-13879: Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery

The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make w...

Published
Feb 14, 2025
Patched Release
4.1.0
Affected Versions
Versions up to 4.0.2
Next Step
Update to 4.1.0 or newer if supported.
Open CVE-2024-13879 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-7423
CVE-2024-7423: Stream <= 4.0.1 - Cross-Site Request Forgery to Arbitrary Options Update

The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update a...

Published
Sep 12, 2024
Patched Release
4.0.2
Affected Versions
Versions up to 4.0.1
Next Step
Update to 4.0.2 or newer if supported.
Open CVE-2024-7423 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-43450
CVE-2022-43450: Stream <= 3.9.2 - Missing Authorization via load_alerts_settings

The Stream plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_alerts_settings function in versions up to, and including, 3.9.2. This makes it possible for authenticated attackers with subscriber-level permissions or abo...

Published
Apr 25, 2023
Patched Release
3.9.3
Affected Versions
Versions before 3.9.3
Next Step
Update to 3.9.3 or newer if supported.
Open CVE-2022-43450 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-43490
CVE-2022-43490: Stream <= 3.9.2 - Cross-Site Request Forgery

The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.9.2. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a fo...

Published
Apr 18, 2023
Patched Release
3.9.3
Affected Versions
Versions up to 3.9.2
Next Step
Update to 3.9.3 or newer if supported.
Open CVE-2022-43490 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-4384
CVE-2022-4384: Stream <= 3.9.1 - Missing Authorization to Sensitive Information Disclosure

The Stream plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'save_new_alert' and 'get_new_alert_triggers_notifications' functions in versions up to, and including, 3.9.1. This makes it possible for subscriber-level attackers to u...

Published
Jan 16, 2023
Patched Release
3.9.2
Affected Versions
Versions up to 3.9.1
Next Step
Update to 3.9.2 or newer if supported.
Open CVE-2022-4384 Report Open CVE Reference
Plugin High Patched: Yes CVE-2021-24772
CVE-2021-24772: Stream <= 3.8.1 - Admin+ SQL Injection

The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.

Published
Oct 18, 2021
Patched Release
3.8.2
Affected Versions
Versions up to 3.8.1
Next Step
Update to 3.8.2 or newer if supported.
Open CVE-2021-24772 Report Open CVE Reference
Plugin High Patched: Yes
Stream <= 3.0.5 - Sensitive Data Exposure

The Stream plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 3.0.5. This can allow unauthenticated attackers to extract sensitive data including logged entries.

Published
May 31, 2016
Patched Release
3.0.6
Affected Versions
Versions up to 3.0.5
Next Step
Update to 3.0.6 or newer if supported.
Open Full Report