Stored Cross-Site Scripting in StreamWeasels Kick Integration Plugin for WordPress
CVE-2025-9442

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Streamweasels Kick Integration
Vendor: CVE Published:; 6 September 2025

What is CVE-2025-9442?

The StreamWeasels Kick Integration plugin for WordPress is susceptible to Stored Cross-Site Scripting via the 'vodsChannel' parameter. This vulnerability arises from inadequate input sanitization and output escaping in versions up to and including 1.1.5. Authenticated attackers with Contributor-level access or higher can exploit this weakness to inject arbitrary web scripts into pages. When users access an affected page, these scripts execute, potentially compromising user data and site integrity.

Affected Version(s)

StreamWeasels Kick Integration * <= 1.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/streamweasels-...

https://wordpress.org/plugins/streamweasels-kick-integrat...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2025
Vulnerability Reserved
Aug 25, 2025

Credit

Peter Thaleikis