:point_right: Superseded by #1435.

Fixes #1426.

This PR includes the following changes:

adds tests to trigger and assert the vulnerability described in CVE-2022-43490, props @Lucisu via Patchstack
fixes CVE-2022-43490 by adding a nonce check to the 'wp_ajax_wp_stream_uninstall' AJAX action.
fixes a broken SQL query that failed to delete user meta records on multisite installations.
ensure that plugin being uninstalled from a blog in a multisite doesn't delete all Stream data unless the action is performed (1) by a super admin and (2) on the main blog for of the site.

Checklist

[x] Project documentation has been updated to reflect the changes in this pull request, if applicable.
[x] I have tested the changes in the local development environment (see contributing.md).
[x] I have added phpunit tests.

xwp / stream