CVE-2025-11820: 
WordPress vulnerability analysis and mitigation

The Graphina – Elementor Charts and Graphs plugin for WordPress (CVE-2025-11820) contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 3.1.8. The vulnerability was discovered on November 4, 2025 and publicly disclosed on November 5, 2025 (NVD, Rapid7).

The vulnerability stems from insufficient input sanitization and output escaping on data attributes in multiple chart widgets. The JavaScript code pulls data from data-chart_data and/or data-chart_options attributes without proper sanitization. The vulnerability affects multiple chart widgets including Area Chart, Line Chart, Column Chart, Donut Chart, Heatmap Chart, Radar Chart, Polar Chart, Pie Chart, Radial Chart, and Advance Data Table widgets. The CVSS v3.1 base score is 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update to a version newer than 3.1.8 when available. Until then, it is recommended to restrict access to the Elementor editor to trusted users only (Wordfence Intel).