What is the CVSS score of EUVD-2025-208932?

EUVD-2025-208932 has a CVSS 3.1 base score of 6.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of WordPress are affected by EUVD-2025-208932?

CVE-2025-6229 presents moderate security risk, a cross-site scripting vulnerability rated CVSS 6.4. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

How to fix or mitigate EUVD-2025-208932?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

WordPress EUVD-2025-208932

| CVE-2025-6229 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-23 Wordfence

GHSA-r3p6-6v6q-48jv

WordPress XSS Elementor

6.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.4 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 23, 2026 - 06:45 euvd

EUVD-2025-208932

Analysis Generated

Mar 23, 2026 - 06:45 vuln.today

CVE Published

Mar 23, 2026 - 06:41 nvd

MEDIUM 6.4

DescriptionCVE.org

The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Fancy Text Widget And Countdown Widget DOM attributes in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.

Technical ContextAI

The Sina Extension for Elementor (CPE: cpe:2.3:a:shaonsina:sina_extension_for_elementor:*:*:*:*:*:*:*:*) is a WordPress plugin that extends the Elementor page builder with additional widgets including Fancy Text and Countdown functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, commonly known as Cross-Site Scripting). The root cause is insufficient input sanitization and output escaping in the widget's handling of DOM attributes, meaning user-supplied input is not properly validated before being inserted into the page DOM, and output is not properly escaped when rendered to HTML. The JavaScript file at plugins/sina-extension-for-elementor/tags/3.7.0/assets/js/sina-widgets.js contains the vulnerable widget initialization code that processes these attributes without adequate security controls.

RemediationAI

WordPress site administrators should immediately upgrade the Sina Extension for Elementor plugin to a version newer than 3.7.0 when available. Until a patched version is released, site administrators should restrict Contributor-level and above user access to only trusted individuals, disable or deactivate the plugin if not essential to site functionality, and audit all existing pages using the Fancy Text Widget and Countdown Widget for suspicious content or script injections. For sites that cannot immediately patch, implement WordPress security hardening measures including a Web Application Firewall (WAF) with XSS detection rules, regular security audits using tools like Wordfence or Sucuri, and enable logging and monitoring of widget content modifications. Monitor the official plugin repository and vendor advisories for patch releases, and test patches in a staging environment before deploying to production.

More from same product – last 7 days

CVE-2026-8157 HIGH This Week POC

8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH This Week POC

7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp

CVE-2026-6858 HIGH This Week POC