CVE-2025-4591 in Weluka Lite Plugin
Summary
by MITRE • 05/15/2025
The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/15/2025
The Weluka Lite plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-4591 affecting versions through 1.0.3. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'weluka-map' shortcode implementation. The flaw specifically targets user-supplied attributes that are processed through the shortcode system without proper validation or sanitization, creating an attack vector that can be exploited by authenticated users with contributor-level privileges or higher.
The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are rendered in the plugin's map functionality. When an authenticated attacker with contributor access or above creates or modifies content containing malicious script within the weluka-map shortcode parameters, the malicious code is stored within the WordPress database. This stored script executes whenever any user accesses pages containing the injected content, making the vulnerability particularly dangerous as it can affect multiple users without requiring them to perform any specific actions beyond viewing the affected pages.
The operational impact of CVE-2025-4591 extends beyond simple script execution as it enables attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious sites. The vulnerability's classification as a stored XSS attack means that the malicious payload persists in the database and can affect any user who views the affected content, regardless of their privilege level. This makes it particularly concerning for websites where multiple contributors or editors have access to content creation functionality, as the attack can be initiated by any user with sufficient privileges to modify posts or pages.
This vulnerability aligns with CWE-79 which describes improper neutralization of input during web page generation in web applications, specifically addressing the failure to properly sanitize user input that can lead to cross-site scripting attacks. The issue also maps to ATT&CK technique T1566.001 which covers the use of malicious links in the context of web application attacks, and T1071.001 which covers application layer protocol usage for command and control communications. Organizations using this plugin should immediately implement mitigations including updating to the latest version where the vulnerability has been patched, implementing strict input validation for shortcode parameters, and conducting thorough security audits of all active plugins to identify similar vulnerabilities.
The security implications of this vulnerability underscore the critical importance of proper input sanitization and output escaping in web applications, particularly in content management systems where user-generated content is processed. The fact that this vulnerability can be exploited by users with contributor-level access demonstrates the need for comprehensive privilege management and input validation across all plugin components. Organizations should also consider implementing additional security measures such as content security policies, regular security scanning of plugin code, and privileged access monitoring to detect and prevent exploitation attempts. The vulnerability serves as a reminder that even seemingly minor functionality within plugins can present significant security risks when proper security practices are not implemented during development.