Stream < 3.8.2 - Admin+ SQL Injection

The plugin does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. PoC https://example.com/wp-admin/admin.php?page=wpstream=+AND+SELECT+9940+FROM+SELECTSLEEP5vqNl...

Stream <= 3.0.5 - Unauthenticated Events Export

The Stream WordPress plugin allows unauthenticated users to export CSV or JSON of recent events. The code only checks to see if the proper GET variables are passed to a valid backend WordPress handler and will happily export logged entries. Reported to maintainers on 5/25/2016 and new version...

WordPress Stream Plugin <= 3.0.5 - Unauthenticated Events Export

Because of this vulnerability, unauthenticated users can export CSV or JSON of recent events. Solution Update the plugin...

Uber: Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin

newsroom.uber.com uses a WordPress plugin called Stream to log user activity. In some cases the logged events aren't sanitized properly and can contain HTML tags and JavaScript. An unauthenticated user can produce such a log message to inject JavaScript in the admin panel. When an administrator...

Yatse Stream Plugin - Customized SSL, Insecure KeyStore vulnerabilities

HackApp vulnerability scanner discovered that application Yatse Stream Plugin published at the 'play' market has multiple vulnerabilities...