Impact
The Weluka Lite WordPress plugin contains a stored cross‑site scripting flaw in its weluka‑map shortcode. Because the plugin does not properly sanitize or escape user‑supplied attributes, an authenticated user with contributor privileges can inject arbitrary JavaScript. When a susceptible page is accessed, the injected script executes in the browser of any visitor, potentially enabling defacement, credential theft, or session hijacking.
Affected Systems
All releases of Weluka Lite up to and including version 1.0.3 are affected. The vulnerability is specific to the Weluka Lite plugin developed by welukame and applies to any WordPress site that has the plugin installed and is used by contributors or higher.
Risk and Exploitability
The CVSS score of 6.4 reflects a moderate severity with an attack vector that requires authenticated access, but only to users who have contributor‑level permissions or higher. The EPSS score of less than 1% indicates a low probability of widespread exploitation. Because the vulnerability is not listed in the CISA KEV catalogue, it has not yet been confirmed as a known targeted exploit. An attacker could exploit the flaw by creating or editing a post that includes the malformed weluka‑map shortcode, causing stored malicious script to run on every subsequent view of that content.
OpenCVE Enrichment
EUVD