The flaw originates from the SHAONSINA Sina Extension for Elementor plugin, where the Fancy Text Widget and Countdown Widget fail to sanitize and escape user input. An attacker who can authenticate with a Contributor role or higher can inject arbitrary JavaScript that will run in the browser of any visitor who opens a page containing the malicious widget. This capability can be used to steal session cookies, deface the site, redirect users, or perform other malicious actions in the victim’s context. The vulnerability falls under the Common Weakness Enumeration CWE‑79, which focuses on unsanitized input leading to cross‑site scripting attacks.

WordPress sites that have installed the Sina Extension for Elementor plugin and are running any version up to and including 3.7.0 are affected. Sites that use the Fancy Text Widget or Countdown Widget in page content are at risk, regardless of the overall site's user base size.

The CVSS base score of 6.4 indicates moderate severity. Because the exploit requires authentication with at least Contributor privileges, the risk of a wide‑scale public exploitation is reduced, yet sites with many contributors remain vulnerable. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to log into the WordPress backend, create or edit a page containing the vulnerable widget, insert malicious script, and then wait for any site visitor to trigger execution. The dependence on authenticated access limits, but does not eliminate, the potential for abuse.