The plugin contains a stored cross‑site scripting flaw that arises when the vodsChannel parameter is not properly sanitized or escaped by the plugin's rendering routine. Because the input is stored in the database, an authenticated user with contributor or higher privileges can embed malicious script tags that will run in the context of any visitor who lands on a page that displays the injected value. This defect satisfies CWE-79 and gives an attacker code‑execution capability in the victim's browser, potentially enabling session hijacking, credential theft, or defacement of site content. No elevation of privilege is required beyond the Contributor role; the vulnerability is purely a client‑side injection problem.

Affected systems are installations of the StreamWeasels Kick Integration WordPress plugin version 1.1.5 and any earlier releases. Administrators should review the version used on their WordPress sites and verify whether the vodsChannel parameter is exposed or used. The plugin is distributed via the WordPress plugin repository and is supported by streamweasels. No specific operating system or PHP version constraints are given; the flaw exists in all WordPress environments that run the vulnerable plugin.

The CVSS score is 6.4, indicating a medium severity risk. The EPSS score is below 1 %, implying a very low probability of exploitation in the wild at the moment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a logged‑in user with Contributor or higher access, so while remote attackers cannot directly exploit it, anyone who gains Contributor rights (e.g., through phishing or credential compromise) could abuse the flaw. The lack of user‑facing controls means that the window for compromise is limited to authenticated actors, but once compromised the affected user’s session can be hijacked or further malicious content injected.