Description
The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affects multiple chart widgets including Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart, and Advance Data Table widgets.
Published: 2025-11-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

The Graphina – Elementor Charts and Graphs plugin for WordPress contains a stored cross‑site scripting flaw (CWE‑79) that allows authenticated users with Contributor‑level or higher to inject arbitrary JavaScript into chart widget configuration data. Because the plugin fails to properly sanitize or escape data attributes, any script stored in a widget is executed whenever a user views a page containing that widget, resulting in a stored XSS vulnerability.

Affected Systems

Affected versions are all releases of the plugin up to and including 3.1.8. The problem exists in the Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart and Advance Data Table widgets, which are part of the iqonicdesign Graphina – Charts and Graphs For Elementor package installed on WordPress sites that use Elementor for page building.

Risk and Exploitability

The CVSS score is 6.4, indicating a moderate exploitation risk. The EPSS score is less than 1%, suggesting that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Attacks require an authenticated Contributor‑level account and target sites where chart widgets are displayed to other users. Because the flaw is stored, compromised data remains on the site until the plugin is upgraded or the offending widget content is removed.

Generated by OpenCVE AI on April 27, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Graphina to version 3.1.9 or later to remove the CWE‑79 vulnerability by fixing input sanitization and output escaping.
  • If an update is not immediately possible, limit Contributor + roles from editing chart widgets or switch the site to a more restrictive role model to reduce the available attack surface.
  • Manually review and delete any chart widgets that contain injected scripts, and use a content sanitization plugin to escape any remaining data attributes before restoring the site.

Generated by OpenCVE AI on April 27, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Iqonicdesign
Iqonicdesign graphina
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Iqonicdesign
Iqonicdesign graphina
Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Graphina – Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widgets in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping on data attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affects multiple chart widgets including Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart, and Advance Data Table widgets.
Title Graphina – Elementor Charts and Graphs <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor
Iqonicdesign Graphina
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:38.928Z

Reserved: 2025-10-15T17:23:50.590Z

Link: CVE-2025-11820

cve-icon Vulnrichment

Updated: 2025-11-05T15:44:19.882Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T10:15:34.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses