CVE-2025-9442 is a stored Cross-Site Scripting (XSS) vulnerability affecting the StreamWeasels Kick Integration plugin for WordPress, specifically versions up to and including 1.1.5. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The issue is triggered via the 'vodsChannel' parameter, which lacks sufficient input sanitization and output escaping. This flaw allows authenticated users with Contributor-level permissions or higher to inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to Contributor or above, and no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. Currently, there are no known exploits in the wild, and no official patches have been released yet. The vulnerability is significant because WordPress is widely used for content management, and plugins like StreamWeasels Kick Integration are common for embedding streaming content, making this a relevant attack vector for websites relying on this plugin.

For European organizations, especially those operating websites or services using WordPress with the StreamWeasels Kick Integration plugin, this vulnerability poses a risk of unauthorized script execution leading to data theft, user session compromise, and potential defacement or misinformation campaigns. Confidentiality is impacted due to possible theft of cookies or credentials, and integrity is affected as attackers can alter page content or inject misleading information. Availability impact is minimal as the vulnerability does not directly cause denial of service. The medium CVSS score reflects that while exploitation requires authenticated access, many organizations allow Contributor-level users (e.g., content creators or editors), increasing the attack surface. This vulnerability could be leveraged in targeted attacks against media companies, educational institutions, or government websites that use this plugin to stream content. Additionally, the cross-site scripting could facilitate further attacks such as phishing or malware distribution, amplifying the threat to European users and organizations.

1. Immediate mitigation should include restricting Contributor-level permissions to trusted users only, minimizing the risk of malicious script injection. 2. Administrators should monitor and audit content submitted via the 'vodsChannel' parameter for suspicious input. 3. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting this parameter. 4. Disable or remove the StreamWeasels Kick Integration plugin if it is not essential until a patch is available. 5. Encourage plugin developers or maintainers to release a security update that properly sanitizes and escapes all user inputs, especially the 'vodsChannel' parameter. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 8. Regularly update WordPress core and all plugins to the latest versions to reduce exposure to known vulnerabilities.