CVE-2025-8867 is a stored cross-site scripting vulnerability identified in the Graphina – Elementor Charts and Graphs plugin for WordPress, versions 3.1.3 and earlier. The vulnerability stems from insufficient neutralization of input during web page generation (CWE-79), specifically due to inadequate sanitization and escaping of user-supplied attributes such as chart categories, titles, and tooltip settings. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into chart widget parameters. Because the malicious scripts are stored within the plugin's data and rendered on pages, they execute automatically whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability does not require user interaction to trigger, and the attack surface is network accessible. The CVSS v3.1 base score of 6.4 reflects a medium severity with attack vector as network, low attack complexity, privileges required (low), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing contributor-level users to create or edit content. The lack of official patches at the time of disclosure necessitates immediate mitigation steps to reduce exposure.

The vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages using the Graphina plugin, which execute in the browsers of any users visiting those pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access. Attackers may also manipulate page content or perform actions on behalf of other users, undermining data integrity. While availability impact is minimal, the confidentiality and integrity of user data and site content are at risk. Organizations relying on this plugin face increased risk of account compromise, defacement, and potential lateral movement within their WordPress environment. Given WordPress's widespread use globally, the vulnerability could be leveraged in targeted attacks against organizations with contributor-level users, such as content teams or external collaborators. The scope of affected systems is broad, as the plugin is used in diverse sectors including media, education, and e-commerce, potentially impacting sensitive or high-profile websites.

1. Immediately restrict contributor-level and higher user privileges to trusted personnel only, minimizing the risk of malicious input. 2. Implement strict input validation and sanitization on all user-supplied data fields related to chart widgets, either via custom code or security plugins that enforce content filtering. 3. Monitor and audit content created or edited by contributors for suspicious scripts or anomalies. 4. Disable or remove the Graphina – Elementor Charts and Graphs plugin if it is not essential to reduce attack surface until an official patch is released. 5. Apply web application firewall (WAF) rules to detect and block common XSS payloads targeting the plugin’s parameters. 6. Educate content creators and administrators about the risks of XSS and safe content practices. 7. Once available, promptly update the plugin to a patched version addressing CVE-2025-8867. 8. Consider implementing Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of injected scripts. 9. Regularly back up WordPress sites to enable recovery in case of compromise.