CVE-2025-11820

The Graphina – Elementor Charts and Graphs plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability in multiple chart widgets, including Area, Line, Column, Donut, Heatmap, Radar, Polar, Pie, Radial, and Advance Data Table widgets. The root cause is insufficient input sanitization and output escaping on data attributes such as data-chart_data and data-chart_options. This allows an attacker to inject malicious HTML and JavaScript that is later rendered unsanitized when the page is viewed [1].

Exploitation requires an authenticated user with at least Contributor-level access. The attacker can add a chart widget alongside an HTML widget containing encoded payloads in the data attributes. When the page is previewed or edited by an administrator, the injected script executes. The vulnerability is DOM-based, as the JavaScript processes the data attributes without proper validation [1].

Successful exploitation leads to arbitrary script execution in the context of the victim's browser. This can result in session hijacking, defacement, or theft of sensitive information. The impact is amplified because the injected script executes whenever any user accesses the compromised page, including site administrators [1].

The vulnerability affects all versions up to and including 3.1.8. Users are strongly advised to update to the latest patched version of the plugin. No workaround is available other than restricting Contributor-level access or disabling the plugin until an update is applied.