CVE-2025-4591 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Weluka Lite WordPress plugin, specifically versions up to and including 1.0.3. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin's 'weluka-map' shortcode fails to sufficiently sanitize and escape user-supplied attributes. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently in the page content, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor-level access, no user interaction is needed for exploitation, and the scope is changed since the vulnerability can affect other users viewing the injected content. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is significant because WordPress is a widely used content management system, and plugins like Weluka Lite are commonly employed to enhance site functionality. The flaw specifically targets the shortcode processing mechanism, a common vector for injection attacks when input validation is insufficient.

For European organizations using WordPress sites with the Weluka Lite plugin, this vulnerability poses a risk of client-side code injection that can compromise the confidentiality and integrity of user sessions and data. Attackers with contributor-level access could leverage this flaw to execute persistent XSS attacks, potentially leading to unauthorized actions on behalf of users, theft of authentication tokens, or distribution of malware. This can damage organizational reputation, lead to data breaches involving personal or sensitive information protected under GDPR, and disrupt business operations. Since the vulnerability affects the content rendering process, it can impact any user visiting the compromised pages, including customers, employees, or partners. The medium severity score reflects the need for timely remediation, especially for organizations with multiple contributors or less restrictive access controls. The absence of known exploits currently reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts. European organizations in sectors such as e-commerce, media, education, and government, which often rely on WordPress, should be particularly vigilant.

1. Immediately audit WordPress sites to identify installations of the Weluka Lite plugin, especially versions up to 1.0.3. 2. Restrict contributor-level and higher access to trusted users only, implementing the principle of least privilege to reduce the risk of insider exploitation. 3. Until an official patch is released, consider disabling or removing the Weluka Lite plugin to eliminate the attack surface. 4. Implement Web Application Firewall (WAF) rules that detect and block suspicious input patterns targeting the 'weluka-map' shortcode attributes. 5. Conduct thorough input validation and output encoding on all user-supplied content in custom plugins or themes to prevent similar vulnerabilities. 6. Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts. 7. Educate content contributors about the risks of injecting untrusted content and enforce secure content management policies. 8. Once a patch is available, apply it promptly and verify the fix through testing. 9. Use Content Security Policy (CSP) headers to mitigate the impact of potential XSS by restricting script execution sources.