Using XSS to execute PHP Code
The attack stores javascript as unauthenticated user. Later, this javascript is loaded when an administrator clicks a certain tab of the stream plugin, thus, the injected code gets executed with administrator rights. Wordpress has some code editing functions (e.g. theme- and plugin editor) which allow editing of php files on the server. This can be done by the injected javascript, leaving you with a compromised server and injected php-code.