Description
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability allows authenticated users with Contributor level access or higher to inject arbitrary JavaScript into the status‑classic‑offline‑text field of the StreamWeasels Kick Integration plugin. Because the input is stored and later output without proper sanitization, the injected code will execute whenever a user opens the affected page. This can be leveraged for session hijacking, credential theft, or defacement, compromising both confidentiality and integrity of user data.

Affected Systems

All WordPress installations that have the StreamWeasels Kick Integration plugin at any version up to and including 1.1.3 are affected. The plugin is commonly used as a WordPress add‑on to manage status messages, and the impacted field is part of the user‑visible status output.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity risk, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The flaw is not currently listed in CISA’s KEV catalog. The likely attack vector is an authenticated contributor or higher user creating or editing a status message; the web‑script payload is stored and then served to all visitors who view that status. While the vector requires authentication, it allows the attacker to influence the client‑side behavior of other users, potentially leading to widespread script execution.

Generated by OpenCVE AI on April 22, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the StreamWeasels Kick Integration plugin to a version newer than 1.1.3 that implements proper input sanitization and output escaping for the status‑classic‑offline‑text field.
  • Apply input validation and output encoding to any custom status or message fields so that only safe text can be stored and displayed.
  • Deploy or configure a web application firewall rule that blocks known XSS payloads or enforces content‑security policies to mitigate the impact of any remaining injections.

Generated by OpenCVE AI on April 22, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18335 The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.00039}

Tue, 17 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 14 Jun 2025 08:45:00 +0000

Type Values Removed Values Added
Description The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title StreamWeasels Kick Integration <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via status-classic-offline-text Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:43.164Z

Reserved: 2025-06-03T22:53:36.123Z

Link: CVE-2025-5589

cve-icon Vulnrichment

Updated: 2025-06-16T16:47:14.572Z

cve-icon NVD

Status : Deferred

Published: 2025-06-14T09:15:23.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses