{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4591", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-12T15:21:13.301Z", "datePublished": "2025-05-15T03:21:39.647Z", "dateUpdated": "2026-04-08T17:25:15.232Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:15.232Z"}, "affected": [{"vendor": "welukame", "product": "Weluka Lite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Weluka Lite <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d21a12b4-2f9d-4ae3-a5f6-1ba90fab43a2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/weluka-lite/trunk/class-weluka-builder.php#L4666"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "timeline": [{"time": "2025-05-14T14:26:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-15T15:19:06.395163Z", "id": "CVE-2025-4591", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T15:20:59.940Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4591", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-15T15:19:06.395163Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T15:19:42.451Z"}}], "cna": {"title": "Weluka Lite <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Cheng Liu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "welukame", "product": "Weluka Lite", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-14T14:26:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d21a12b4-2f9d-4ae3-a5f6-1ba90fab43a2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/weluka-lite/trunk/class-weluka-builder.php#L4666"}], "descriptions": [{"lang": "en", "value": "The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:15.232Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4591", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:15.232Z", "dateReserved": "2025-05-12T15:21:13.301Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-15T03:21:39.647Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Weluka Lite para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del shortcode 'weluka-map' en todas las versiones hasta la 1.0.3 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4591", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-15T04:16:18.797", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/weluka-lite/trunk/class-weluka-builder.php#L4666"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d21a12b4-2f9d-4ae3-a5f6-1ba90fab43a2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:49:51.398739+00:00", "value": {"mitigation_remediation": ["Upgrade Weluka Lite to the latest stable release (beyond 1.0.3) where the weluka\u2011map shortcode has been properly validated and escaped.", "If an upgrade is not immediately possible, restrict the use of the weluka\u2011map shortcode to trusted administrator accounts or remove the shortcode entirely from public content.", "Implement a web application firewall rule or content security policy that blocks unapproved JavaScript execution from user\u2011supplied shortcode attributes."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of Weluka Lite up to and including version 1.0.3 are affected. The vulnerability is specific to the Weluka Lite plugin developed by welukame and applies to any WordPress site that has the plugin installed and is used by contributors or higher.", "description_and_impact": "The Weluka Lite WordPress plugin contains a stored cross\u2011site scripting flaw in its weluka\u2011map shortcode. Because the plugin does not properly sanitize or escape user\u2011supplied attributes, an authenticated user with contributor privileges can inject arbitrary JavaScript. When a susceptible page is accessed, the injected script executes in the browser of any visitor, potentially enabling defacement, credential theft, or session hijacking.", "risk_and_exploitability": "The CVSS score of 6.4 reflects a moderate severity with an attack vector that requires authenticated access, but only to users who have contributor\u2011level permissions or higher. The EPSS score of less than 1% indicates a low probability of widespread exploitation. Because the vulnerability is not listed in the CISA KEV catalogue, it has not yet been confirmed as a known targeted exploit. An attacker could exploit the flaw by creating or editing a post that includes the malformed weluka\u2011map shortcode, causing stored malicious script to run on every subsequent view of that content."}}}}, "created": "2026-04-20T23:00:14.146070+00:00", "updated": "2026-04-20T23:00:14.146082+00:00", "vendors": []}