Feels a little overstated if it requires a malicious lua script.

Yes that's bad, but its not critical the way the article implies. For the average website, your average stored XSS is probably more impactful.