CVE-2025-7810 identifies a stored Cross-Site Scripting (XSS) vulnerability in the StreamWeasels Kick Integration plugin for WordPress, present in all versions up to and including 1.1.4. The root cause is insufficient input sanitization and output escaping of the 'data-uuid' attribute, which is user-supplied. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages via this attribute. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability requires authentication and user interaction (visiting the infected page) but has a low attack complexity and affects the confidentiality and integrity of affected sites. The CVSS 3.1 base score is 5.4, reflecting these factors. No patches are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The plugin is widely used in WordPress environments that integrate StreamWeasels Kick features, making affected sites susceptible until remediation is applied.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary scripts in the context of the affected website, leading to session hijacking, theft of sensitive information, unauthorized actions, and defacement. Since the vulnerability requires contributor-level access, attackers must first compromise or have legitimate access to an account with such privileges, which limits but does not eliminate risk. The stored nature of the XSS means that all users visiting the infected page are at risk, including administrators, increasing the potential damage. Organizations relying on the StreamWeasels Kick Integration plugin for WordPress could face reputational damage, data breaches, and loss of user trust. The vulnerability could also be leveraged as a foothold for further attacks within the network or to spread malware. Given WordPress's widespread use, the scope of affected systems is significant, especially for sites that allow multiple contributors or have less stringent access controls.

1. Monitor for an official patch or update from the StreamWeasels plugin developers and apply it immediately upon release. 2. Until a patch is available, restrict contributor-level and higher access to trusted users only and review existing user privileges to minimize risk. 3. Implement strict input validation and output encoding on the 'data-uuid' attribute within the plugin code if possible, to neutralize malicious input. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable attribute. 5. Conduct regular security audits and scanning of WordPress sites to detect injected scripts or anomalous behavior. 6. Educate site administrators and contributors about the risks of XSS and safe content management practices. 7. Consider disabling or removing the StreamWeasels Kick Integration plugin if it is not essential to reduce attack surface. 8. Monitor logs for unusual activity related to contributor accounts and page accesses that might indicate exploitation attempts.