CVE-2025-4591 identifies a stored cross-site scripting vulnerability in the Weluka Lite plugin for WordPress, specifically in the handling of the 'weluka-map' shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, which allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim's browser session. The vulnerability affects all versions up to and including 1.0.3. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requires privileges, no user interaction, and impacts confidentiality and integrity with a scope change. Although no public exploits have been reported, the vulnerability poses a significant risk due to the ease of exploitation by authenticated users and the potential for widespread impact on site visitors. The plugin's widespread use in WordPress sites increases the attack surface, especially for sites that allow contributor-level user roles.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of user data on affected WordPress sites. Attackers can execute arbitrary scripts in the context of site visitors, leading to session hijacking, theft of sensitive information such as cookies or credentials, defacement, or redirection to malicious sites. Since the vulnerability requires contributor-level access, attackers who have gained such privileges—either legitimately or through other means—can leverage this flaw to escalate their impact. This can undermine user trust, damage brand reputation, and potentially lead to broader network compromise if administrative sessions are hijacked. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, increasing the risk of lateral movement or privilege escalation within the site. Organizations running WordPress sites with Weluka Lite installed are at risk, particularly those with multiple contributors or less restrictive user role management.

To mitigate CVE-2025-4591, organizations should first check for and apply any official patches or updates from the Weluka Lite plugin vendor once available. In the absence of a patch, administrators should consider temporarily disabling the 'weluka-map' shortcode or restricting contributor-level user permissions to prevent abuse. Implementing a web application firewall (WAF) with custom rules to detect and block suspicious script injections in shortcode attributes can provide additional protection. Site owners should audit user roles and permissions to ensure that only trusted users have contributor-level or higher access. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security scanning and monitoring for unusual activity or injected scripts on pages using the shortcode are also recommended. Finally, educating contributors about safe content practices and monitoring for suspicious behavior can reduce the risk of exploitation.