Does Stream have any unpatched vulnerabilities?

No. All known vulnerabilities in Stream have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Stream compatible with WordPress 6.9.4?

According to WordPress.org data, Stream 4.1.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Stream updated?

Stream was last updated on Feb 24, 2026. Frequent updates are generally a positive security signal.

What is Stream's security score?

Stream has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Stream Security & Risk Analysis

wordpress.org/plugins/stream

With Stream, you’re never left in the dark about changes to your WordPress site.

80K active installs v4.1.2 PHP + WP 4.6+ Updated Feb 24, 2026

activitylogsstreamtrackwp-stream

A · Safe

CVEs total7

Unpatched0

Last CVEFeb 14, 2025

Plugin page Download

Safety Verdict

Is Stream Safe to Use in 2026?

Generally Safe

Score 93/100

Stream has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Feb 14, 2025Updated 1mo ago

Risk Assessment

The 'stream' plugin v4.1.2 exhibits a mixed security posture. While it demonstrates good practices in terms of prepared SQL statements (85%) and output escaping (93%), and a lack of critical taint analysis findings, there are several concerning areas. The presence of one AJAX handler without any authentication checks presents a significant direct attack vector. Furthermore, the plugin's history of 7 known CVEs, including 3 high-severity vulnerabilities such as SSRF, CSRF, and SQL Injection, indicates a pattern of past security weaknesses that require careful attention, even though none are currently unpatched.

The static analysis reveals an attack surface with 10 entry points, one of which is unprotected. The use of the dangerous `assert` function is also a red flag, although its specific context and impact are not detailed in the provided data. The 14 capability checks and 20 nonce checks are positive signs, suggesting some level of security implementation, but the lack of authorization on one AJAX handler significantly undermines these efforts. The plugin's historical vulnerability types further highlight recurring issues that users should be aware of.

In conclusion, while the plugin shows improvement in areas like SQL sanitization and output escaping, the unprotected AJAX handler and the past vulnerability trends are notable weaknesses. Users should proceed with caution and ensure the plugin is kept up-to-date, and consider implementing additional security measures to mitigate the risks associated with the identified unprotected entry point.

Key Concerns

Unprotected AJAX handler
Dangerous function 'assert' used
History of 7 CVEs, including 3 high
Vulnerability types include SSRF, CSRF, SQLi

Vulnerabilities

Stream Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2021

2021

3 CVEs in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

7 total CVEs

CVE-2024-13879medium · 5.5Server-Side Request Forgery (SSRF)

Stream <= 4.0.2 - Authenticated (Admin+) Server-Side Request Forgery

Feb 14, 2025 Patched in 4.1.0 (4d)

CVE-2024-7423high · 8.8Cross-Site Request Forgery (CSRF)

Stream <= 4.0.1 - Cross-Site Request Forgery to Arbitrary Options Update

Sep 12, 2024 Patched in 4.0.2 (2d)

CVE-2022-43450medium · 4.3Missing Authorization

Stream <= 3.9.2 - Missing Authorization via load_alerts_settings

Apr 25, 2023 Patched in 3.9.3 (273d)

CVE-2022-43490medium · 4.3Cross-Site Request Forgery (CSRF)

Stream <= 3.9.2 - Cross-Site Request Forgery

Apr 18, 2023 Patched in 3.9.3 (280d)

CVE-2022-4384medium · 4.3Missing Authorization

Stream <= 3.9.1 - Missing Authorization to Sensitive Information Disclosure

Jan 16, 2023 Patched in 3.9.2 (372d)

CVE-2021-24772high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stream <= 3.8.1 - Admin+ SQL Injection

Oct 18, 2021 Patched in 3.8.2 (827d)

WF-ecd68933-e808-4816-b9d2-7491194f2347-streamhigh · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Stream <= 3.0.5 - Sensitive Data Exposure

May 31, 2016 Patched in 3.0.6 (2793d)

Code Analysis

Analyzed Mar 16, 2026

Stream Code Analysis

Dangerous Functions

Raw SQL Queries

45 prepared

Unescaped Output

396 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

assertassert( $old_sidebar_id !== $new_sidebar_id );connectors\class-connector-widgets.php:489

Bundled Libraries

Select2

SQL Query Safety

85% prepared53 total queries

Output Escaping

93% escaped424 total outputs

Attack Surface

1 unprotected

Stream Attack Surface

Entry Points10

Unprotected1

AJAX Handlers 10

authwp_ajax_wp_stream_resetclasses\class-admin.php:196

authwp_ajax_wp_stream_filtersclasses\class-admin.php:215

authwp_ajax_load_alerts_settingsclasses\class-alerts.php:102

authwp_ajax_get_actionsclasses\class-alerts.php:109

authwp_ajax_save_new_alertclasses\class-alerts.php:110

authwp_ajax_get_new_alert_triggers_notificationsclasses\class-alerts.php:117

authwp_ajax_stream_enable_live_updateclasses\class-live-update.php:47

authwp_ajax_stream_get_usersclasses\class-settings.php:89

authwp_ajax_stream_get_ipsclasses\class-settings.php:92

authwp_ajax_edit-theme-plugin-fileconnectors\class-connector-editor.php:50

WordPress Hooks 92

filterwp_stream_alerts_save_metaalerts\class-alert-type-email.php:45

filterwp_stream_record_classesalerts\class-alert-type-highlight.php:74

actionadmin_enqueue_scriptsalerts\class-alert-type-highlight.php:83

filterwp_stream_alerts_save_metaalerts\class-alert-type-highlight.php:112

filterwp_stream_alerts_save_metaalerts\class-alert-type-ifttt.php:78

actionadmin_bar_menualerts\class-alert-type-menu-alert.php:39

filterwp_stream_alerts_save_metaalerts\class-alert-type-slack.php:42

actioninitclasses\class-admin.php:141

filteruser_has_capclasses\class-admin.php:149

filterrole_has_capclasses\class-admin.php:150

actionadmin_menuclasses\class-admin.php:161

actionadmin_noticesclasses\class-admin.php:165

actionshutdownclasses\class-admin.php:166

actionadmin_noticesclasses\class-admin.php:169

filteradmin_body_classclasses\class-admin.php:172

filterplugin_action_linksclasses\class-admin.php:175

actionadmin_enqueue_scriptsclasses\class-admin.php:186

actionadmin_enqueue_scriptsclasses\class-admin.php:193

actionwp_loadedclasses\class-admin.php:205

actionwp_stream_auto_purgeclasses\class-admin.php:206

actionshutdownclasses\class-admin.php:286

actionwp_stream_alert_trigger_form_displayclasses\class-alert-trigger.php:39

actionwp_stream_alert_trigger_form_saveclasses\class-alert-trigger.php:40

filterwp_stream_alert_trigger_checkclasses\class-alert-trigger.php:41

filterbulk_actions-edit-wp_stream_alertsclasses\class-alerts-list.php:31

filterdisable_months_dropdownclasses\class-alerts-list.php:32

filterpost_row_actionsclasses\class-alerts-list.php:33

filterrequestclasses\class-alerts-list.php:37

filterviews_edit-wp_stream_alertsclasses\class-alerts-list.php:39

filtermanage_wp_stream_alerts_posts_columnsclasses\class-alerts-list.php:41

actionmanage_wp_stream_alerts_posts_custom_columnclasses\class-alerts-list.php:42

actionquick_edit_custom_boxclasses\class-alerts-list.php:44

actionadmin_enqueue_scriptsclasses\class-alerts-list.php:45

filterwp_insert_post_dataclasses\class-alerts-list.php:47

actioninitclasses\class-alerts.php:69

actionwp_stream_admin_menuclasses\class-alerts.php:72

actionadmin_enqueue_scriptsclasses\class-alerts.php:75

actionnetwork_admin_menuclasses\class-alerts.php:83

filterwp_stream_record_insertedclasses\class-alerts.php:92

filterwp_stream_action_links_postsclasses\class-alerts.php:128

actionshutdownclasses\class-connector.php:203

actionadmin_initclasses\class-export.php:37

actionwp_stream_record_actions_menuclasses\class-export.php:38

filterstream_records_per_pageclasses\class-export.php:67

filterwp_stream_list_table_columnsclasses\class-export.php:68

actionall_admin_noticesclasses\class-install.php:133

filterscreen_settingsclasses\class-list-table.php:60

filterset-screen-optionclasses\class-list-table.php:69

filterheartbeat_receivedclasses\class-live-update.php:44

filterwp_stream_query_argsclasses\class-network.php:46

actioninitclasses\class-network.php:55

actionnetwork_admin_menuclasses\class-network.php:56

actionnetwork_admin_menuclasses\class-network.php:57

actionadmin_menuclasses\class-network.php:58

actionadmin_bar_menuclasses\class-network.php:59

actionnetwork_admin_noticesclasses\class-network.php:60

actionwpmuadmineditclasses\class-network.php:61

filterwp_stream_blog_id_loggedclasses\class-network.php:65

filterwp_stream_admin_page_titleclasses\class-network.php:66

filterwp_stream_list_table_screen_idclasses\class-network.php:67

filterwp_stream_list_table_filtersclasses\class-network.php:68

filterwp_stream_list_table_columnsclasses\class-network.php:69

filterwp_stream_settings_form_actionclasses\class-network.php:70

filterwp_stream_settings_form_descriptionclasses\class-network.php:71

filterwp_stream_settings_option_fieldsclasses\class-network.php:72

filterwp_stream_serialized_labelsclasses\class-network.php:73

filterwp_stream_connectorsclasses\class-network.php:74

actionplugins_loadedclasses\class-plugin.php:170

actioninitclasses\class-plugin.php:179

actionwp_headclasses\class-plugin.php:182

actionplugins_loadedclasses\class-plugin.php:185

actionadmin_initclasses\class-settings.php:66

filterwp_stream_serialized_labelsclasses\class-settings.php:80

filteruser_search_columnsclasses\class-settings.php:123

filterwp_stream_log_dataconnectors\class-connector-acf.php:121

actionshutdownconnectors\class-connector-acf.php:452

filterwp_stream_log_dataconnectors\class-connector-bbpress.php:164

filterwp_stream_log_dataconnectors\class-connector-edd.php:251

filterwp_stream_log_dataconnectors\class-connector-jetpack.php:205

actionregistered_post_typeconnectors\class-connector-posts.php:66

actionadmin_headconnectors\class-connector-settings.php:213

actionadmin_enqueue_scriptsconnectors\class-connector-settings.php:214

actionupdated_optionconnectors\class-connector-settings.php:648

actionregistered_taxonomyconnectors\class-connector-taxonomies.php:88

filterwp_stream_log_dataconnectors\class-connector-two-factor.php:106

filterwp_stream_log_dataconnectors\class-connector-user-switching.php:82

actioncustomize_save_afterconnectors\class-connector-widgets.php:141

filterwp_stream_posts_exclude_post_typesconnectors\class-connector-woocommerce.php:106

actionwp_stream_comments_exclude_comment_typesconnectors\class-connector-woocommerce.php:107

actionadmin_enqueue_scriptsconnectors\class-connector-wordpress-seo.php:215

filterwp_stream_log_dataconnectors\class-connector-wordpress-seo.php:216

actionshutdownstream.php:44

Scheduled Events 1

wp_stream_auto_purge

Maintenance & Trust

Stream Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 24, 2026

PHP min version

Downloads2.2M

Community Trust

Rating86/100

Number of ratings76

Active installs80K

Alternatives

Stream Alternatives

TeleLog

telelog

Keep track of everything happening on your WordPress in Telegram

0 No CVEs

Simple History – Track, Log, and Audit WordPress Changes

simple-history

Track changes and user activities on your WordPress site. See who created a page, uploaded an attachment, and more, for a complete audit trail.

300K 4 CVEs

WP Activity Log

wp-security-audit-log

The #1 user-rated activity log plugin for event logging, activity monitoring and change tracking.

300K 11 CVEs

ActivityPub

activitypub

Connect your site to the Open Social Web and let millions of users follow, share, and interact with your content from Mastodon, Pixelfed, and more.

6K 5 CVEs

Disable User Gravatar

disable-user-gravatar

Stops WordPress from grabbing a user avatar using their registrated email from gravatar.com.

3K No CVEs

Developer Profile

Stream Developer Profile

XWP

16 plugins · 118K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

482 days

View full developer profile

Detection Fingerprints

How We Detect Stream

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/stream/assets/css/stream.css/wp-content/plugins/stream/assets/js/stream.js

Script Paths

/wp-content/plugins/stream/assets/js/stream.js

Version Parameters

stream/assets/css/stream.css?ver=stream/assets/js/stream.js?ver=

HTML / DOM Fingerprints

CSS Classes

stream-list-table-no-itemswp_stream_list_table_columnswp_stream_list_table_screen_id

Data Attributes

data-stream-datedata-stream-user-iddata-stream-contextdata-stream-actiondata-stream-ip

JS Globals

wp_stream_settings

REST Endpoints

/wp-json/stream/v1/settings

Shortcode Output

[stream-log][stream-activity-feed]

FAQ

Stream Security & Risk Analysis

Is Stream Safe to Use in 2026?

Generally Safe

Key Concerns

Stream Security Vulnerabilities

CVEs by Year

Severity Breakdown

Stream Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Stream Attack Surface

AJAX Handlers 10

Scheduled Events 1

Stream Maintenance & Trust

Maintenance Signals

Community Trust

Stream Alternatives

TeleLog

Simple History – Track, Log, and Audit WordPress Changes

WP Activity Log

ActivityPub

Disable User Gravatar

Stream Developer Profile

How We Detect Stream

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Stream