CVE-2025-5589: 
WordPress vulnerability analysis and mitigation

The StreamWeasels Kick Integration plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-5589) affecting all versions up to and including 1.1.3. The vulnerability exists in the 'status-classic-offline-text' parameter due to insufficient input sanitization and output escaping (NVD, Wiz).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The flaw stems from improper sanitization of the 'status-classic-offline-text' parameter, which allows for injection of arbitrary web scripts (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially leading to theft of sensitive information or manipulation of page content (Wiz).

The vulnerability has been patched in version 1.1.4 of the StreamWeasels Kick Integration plugin. The update includes proper sanitization of all output from the sw-kick shortcode (WordPress Plugin).