CVE-2025-5589 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the StreamWeasels Kick Integration plugin for WordPress, affecting all versions up to and including 1.1.3. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'status-classic-offline-text' parameter. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary malicious scripts into pages. These scripts execute in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and requires privileges (Contributor or above) but no user interaction for exploitation. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been released at the time of this report. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks. Given the plugin’s integration with WordPress, a widely used content management system, the vulnerability could be leveraged to compromise websites that use this plugin, especially those allowing multiple contributors or editors with elevated privileges.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on WordPress sites with the StreamWeasels Kick Integration plugin installed. Attackers with Contributor-level access can inject persistent malicious scripts, potentially compromising the confidentiality of user data by stealing session cookies or credentials. Integrity can be affected as attackers may manipulate page content or perform unauthorized actions on behalf of legitimate users. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be severe. Organizations in sectors such as media, e-commerce, education, and government that use WordPress extensively and allow multiple user roles are at higher risk. The vulnerability could also be exploited for phishing campaigns or to distribute malware via compromised websites. Since exploitation requires authenticated access, insider threats or compromised contributor accounts pose a realistic attack vector. The medium severity rating suggests that while the vulnerability is not critical, it still warrants prompt attention to prevent exploitation and downstream impacts on data privacy and trust.

1. Immediate mitigation should involve restricting Contributor-level access and above to only trusted users until a patch is available. 2. Implement strict input validation and output encoding on the 'status-classic-offline-text' parameter within the plugin code, ideally by updating or patching the plugin once the vendor releases a fix. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this parameter. 4. Conduct regular audits of user roles and permissions to minimize the number of users with Contributor or higher privileges. 5. Monitor website content for unexpected script injections or anomalies in pages that use the vulnerable plugin. 6. Educate content contributors about phishing and social engineering risks to prevent account compromise. 7. Consider isolating or sandboxing the plugin’s output areas to limit script execution impact. 8. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 9. Backup website data regularly to enable quick restoration if compromise occurs. 10. Stay informed about vendor updates and apply patches promptly once available.