WP-Safety

StreamCast – Live Radio Streaming Player Security & Risk Analysis

wordpress.org/plugins/streamcast

StreamCast allows you to play IceCast, Shoutcast, Radionomy, RadioJar, RadioCo and more beautifully inside WordPress.

1K active installs v2.3.9 PHP 7.1+ WP 6.6+ Updated Feb 24, 2026
audio-playericecastlive-streamradio-playershoutcast
99
A · Safe
CVEs total2
Unpatched0
Last CVEAug 7, 2024
Plugin page Download
Safety Verdict

Is StreamCast – Live Radio Streaming Player Safe to Use in 2026?

Generally Safe

Score 99/100

StreamCast – Live Radio Streaming Player has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 7, 2024Updated 1mo ago
Risk Assessment

The "streamcast" v2.3.9 plugin exhibits a generally good security posture based on the static analysis. The absence of unprotected entry points, dangerous functions, raw SQL queries, and external HTTP requests are positive indicators. Taint analysis revealing no unsanitized paths further strengthens this view. However, the plugin's history of two medium-severity Cross-Site Scripting (XSS) vulnerabilities, with the last one being quite recent (August 2024), raises a significant concern. While there are currently no unpatched CVEs, this pattern suggests a recurring weakness in input sanitization or output escaping, which could be exploited in future versions if not thoroughly addressed. The plugin correctly implements nonce and capability checks for its AJAX handlers and shortcodes, and all SQL queries utilize prepared statements. The 70% output escaping rate is a moderate weakness, as the remaining 30% of outputs could potentially be vulnerable to XSS if they handle user-supplied data without proper escaping. The Freemius library version is also noted, though its specific version is not an immediate red flag without further context on its known vulnerabilities.

Key Concerns

  • Recent Medium Severity XSS Vulnerabilities
  • 30% of Outputs Not Properly Escaped
  • Bundled Library Freemius v1.0
Vulnerabilities
2

StreamCast – Live Radio Streaming Player Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-43148medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

StreamCast <= 2.2.3 - Authenticated (Editor+) Stored Cross-Site Scripting

Aug 7, 2024 Patched in 2.2.4 (8d)
CVE-2021-24416medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

StreamCast – Radio Player for WordPress <= 2.1.0 - Cross-Site Scripting

Sep 20, 2021 Patched in 2.1.1 (855d)
Code Analysis
Analyzed Mar 16, 2026

StreamCast – Live Radio Streaming Player Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
229
546 escaped
Nonce Checks
12
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared2 total queries

Output Escaping

70% escaped775 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
csf_export (frameworks\codestar-framework\functions\actions.php:62)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

StreamCast – Live Radio Streaming Player Attack Surface

Entry Points7
Unprotected0

AJAX Handlers 5

authwp_ajax_csf-get-iconsframeworks\codestar-framework\functions\actions.php:50
authwp_ajax_csf-exportframeworks\codestar-framework\functions\actions.php:87
authwp_ajax_csf-importframeworks\codestar-framework\functions\actions.php:123
authwp_ajax_csf-resetframeworks\codestar-framework\functions\actions.php:150
authwp_ajax_csf-chosenframeworks\codestar-framework\functions\actions.php:189

Shortcodes 2

[stream] inc\class-streamcast.php:20
[radio_player] public\shortcode-free.php:141
WordPress Hooks 66
actionwp_enqueue_scriptsframeworks\codestar-framework\classes\abstract.class.php:20
actionadmin_menuframeworks\codestar-framework\classes\admin-options.class.php:107
actionadmin_bar_menuframeworks\codestar-framework\classes\admin-options.class.php:108
actionnetwork_admin_menuframeworks\codestar-framework\classes\admin-options.class.php:112
filteradmin_footer_textframeworks\codestar-framework\classes\admin-options.class.php:432
actionadd_meta_boxes_commentframeworks\codestar-framework\classes\comment-options.class.php:38
actionedit_commentframeworks\codestar-framework\classes\comment-options.class.php:39
actioncustomize_registerframeworks\codestar-framework\classes\customize-options.class.php:44
actioncustomize_save_afterframeworks\codestar-framework\classes\customize-options.class.php:45
actionwp_enqueue_scriptsframeworks\codestar-framework\classes\customize-options.class.php:49
actionadd_meta_boxesframeworks\codestar-framework\classes\metabox-options.class.php:52
actionsave_postframeworks\codestar-framework\classes\metabox-options.class.php:53
actionedit_attachmentframeworks\codestar-framework\classes\metabox-options.class.php:54
actionwp_nav_menu_item_custom_fieldsframeworks\codestar-framework\classes\nav-menu-options.class.php:32
actionwp_update_nav_menu_itemframeworks\codestar-framework\classes\nav-menu-options.class.php:33
filterwp_edit_nav_menu_walkerframeworks\codestar-framework\classes\nav-menu-options.class.php:35
actionadmin_initframeworks\codestar-framework\classes\profile-options.class.php:32
actionshow_user_profileframeworks\codestar-framework\classes\profile-options.class.php:44
actionedit_user_profileframeworks\codestar-framework\classes\profile-options.class.php:45
actionpersonal_options_updateframeworks\codestar-framework\classes\profile-options.class.php:47
actionedit_user_profile_updateframeworks\codestar-framework\classes\profile-options.class.php:48
actionafter_setup_themeframeworks\codestar-framework\classes\setup.class.php:73
actioninitframeworks\codestar-framework\classes\setup.class.php:74
actionswitch_themeframeworks\codestar-framework\classes\setup.class.php:75
actionadmin_enqueue_scriptsframeworks\codestar-framework\classes\setup.class.php:76
actionwp_enqueue_scriptsframeworks\codestar-framework\classes\setup.class.php:77
actionwp_headframeworks\codestar-framework\classes\setup.class.php:78
filteradmin_body_classframeworks\codestar-framework\classes\setup.class.php:79
actionadmin_footerframeworks\codestar-framework\classes\shortcode-options.class.php:47
actioncustomize_controls_print_footer_scriptsframeworks\codestar-framework\classes\shortcode-options.class.php:48
actionelementor/editor/before_enqueue_scriptsframeworks\codestar-framework\classes\shortcode-options.class.php:59
actionelementor/editor/footerframeworks\codestar-framework\classes\shortcode-options.class.php:60
actionelementor/editor/footerframeworks\codestar-framework\classes\shortcode-options.class.php:61
actionenqueue_block_editor_assetsframeworks\codestar-framework\classes\shortcode-options.class.php:258
actionmedia_buttonsframeworks\codestar-framework\classes\shortcode-options.class.php:262
actionadmin_initframeworks\codestar-framework\classes\taxonomy-options.class.php:41
actionadmin_footerframeworks\codestar-framework\fields\icon\icon.php:41
actioncustomize_controls_print_footer_scriptsframeworks\codestar-framework\fields\icon\icon.php:42
actionadmin_print_footer_scriptsframeworks\codestar-framework\fields\link\link.php:65
actionprint_default_editor_scriptsframeworks\codestar-framework\fields\wp_editor\wp_editor.php:62
actionadmin_menuframeworks\codestar-framework\views\welcome.php:19
filterplugin_action_linksframeworks\codestar-framework\views\welcome.php:20
filterplugin_row_metaframeworks\codestar-framework\views\welcome.php:21
actioninitinc\class-streamcast.php:14
actionplugins_loadedinc\class-streamcast.php:15
actionplugins_loadedinc\class-streamcast.php:16
actionadmin_enqueue_scriptsinc\class-streamcast.php:17
actionadmin_menuinc\class-streamcast.php:18
filteradmin_footer_textinc\class-streamcast.php:19
actionadmin_footerinc\metabox-free.php:5
filtercsf_sc__saveinc\metabox-free.php:735
actioninitinc\Streamcast_Admin.php:8
filtergettextinc\Streamcast_Admin.php:9
filterpost_updated_messagesinc\Streamcast_Admin.php:10
filterpost_row_actionsinc\Streamcast_Admin.php:11
actionadmin_head-post.phpinc\Streamcast_Admin.php:12
actionadmin_head-post-new.phpinc\Streamcast_Admin.php:13
filtermanage_streamcast_posts_columnsinc\Streamcast_Admin.php:14
actionmanage_streamcast_posts_custom_columninc\Streamcast_Admin.php:15
actionedit_form_after_titleinc\Streamcast_Admin.php:16
filterupload_mimesmimes\enable-mime-type.php:14
filterwp_check_filetype_and_extmimes\enable-mime-type.php:52
filterwp_check_filetype_and_extmimes\enable-mime-type.php:54
actioninitstreamcast-block.php:7
actionenqueue_block_assetsstreamcast-block.php:8
actionenqueue_block_editor_assetsstreamcast-block.php:10
Maintenance & Trust

StreamCast – Live Radio Streaming Player Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version7.1
Downloads73K

Community Trust

Rating96/100
Number of ratings6
Active installs1K
Alternatives

StreamCast – Live Radio Streaming Player Alternatives

Shoutcast Icecast HTML5 Radio Player

Shoutcast Icecast HTML5 Radio Player

shoutcast-icecast-html5-radio-player

A
99

A secure HTML5 radio player for Shoutcast, Icecast, and podcast streams with social sharing.

1K 1 CVE
FWD Plasmic Audio Player

FWD Plasmic Audio Player

fwd-plasmic-audio-player

A
100

Powerful and extremely customizable 3D audio player with an organic sphere visualizer, playlist support, and Shoutcast/Icecast playback.

0 No CVEs
WPRadio – WordPress Radio Streaming Plugin

WPRadio – WordPress Radio Streaming Plugin

wpradio

A
99

An entire radio streaming platform within your WordPress site.

200 1 CVE
Radio Player Page

Radio Player Page

radio-player-page

A
100

Dedicated player pages for your radio streams, with program scheduling and continuous playback.

100 No CVEs
Serverless Radio

Serverless Radio

serverless-radio

A
100

A serverless MP3 linear streaming plugin that lets you create AutoDJ-like playlists from public MP3 folders — no VPS required.

50 No CVEs
Developer Profile

StreamCast – Live Radio Streaming Player Developer Profile

colorlibplugins

120 plugins · 738K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
140 days
View full developer profile
Detection Fingerprints

How We Detect StreamCast – Live Radio Streaming Player

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/streamcast/assets/css/backend.min.css/wp-content/plugins/streamcast/assets/css/frontend.min.css/wp-content/plugins/streamcast/assets/js/backend.min.js/wp-content/plugins/streamcast/assets/js/frontend.min.js
Script Paths
/wp-content/plugins/streamcast/vendor/freemius/start.php
Version Parameters
streamcast/assets/css/backend.min.css?ver=streamcast/assets/css/frontend.min.css?ver=streamcast/assets/js/backend.min.js?ver=streamcast/assets/js/frontend.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
streamcast_player
Data Attributes
data-streamcast-iddata-streamcast-type
JS Globals
streamcast_config
Shortcode Output
[streamcast
FAQ

Frequently Asked Questions about StreamCast – Live Radio Streaming Player