{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6228", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-18T10:51:11.313Z", "datePublished": "2025-08-01T11:18:55.638Z", "dateUpdated": "2026-04-08T17:34:59.558Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:59.558Z"}, "affected": [{"vendor": "shaonsina", "product": "Sina Extension for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Sina Posts`, `Sina Blog Post` and `Sina Table` widgets in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Sina Extension for Elementor <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd929710-bdb4-42e1-b409-df41adc22392?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/advanced/sina-blogpost.php#L2066"}, {"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/theme_builder/sina-posts.php#L1879"}, {"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/basic/sina-table.php#L1659"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-06-14T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-07-31T21:23:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T13:43:42.415044Z", "id": "CVE-2025-6228", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T13:43:56.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6228", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-01T13:43:42.415044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T13:43:50.952Z"}}], "cna": {"title": "Sina Extension for Elementor <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "shaonsina", "product": "Sina Extension for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-14T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-07-31T21:23:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd929710-bdb4-42e1-b409-df41adc22392?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/advanced/sina-blogpost.php#L2066"}, {"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/theme_builder/sina-posts.php#L1879"}, {"url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/basic/sina-table.php#L1659"}], "descriptions": [{"lang": "en", "value": "The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Sina Posts`, `Sina Blog Post` and `Sina Table` widgets in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:34:59.558Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6228", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:34:59.558Z", "dateReserved": "2025-06-18T10:51:11.313Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-01T11:18:55.638Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Sina Posts`, `Sina Blog Post` and `Sina Table` widgets in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets &amp; Elementor Templates) para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los widgets \"Sina Posts\", \"Sina Blog Post\" y \"Sina Table\" en todas las versiones hasta la 3.7.0 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder a una p\u00e1gina inyectada."}], "id": "CVE-2025-6228", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-01T12:15:26.620", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/advanced/sina-blogpost.php#L2066"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/basic/sina-table.php#L1659"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sina-extension-for-elementor/tags/3.7.0/widgets/theme_builder/sina-posts.php#L1879"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd929710-bdb4-42e1-b409-df41adc22392?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:04:57.662939+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to any version newer than 3.7.0 where the stored XSS issue has been fixed.", "If an upgrade cannot be performed immediately, disable the Sina Posts, Sina Blog Post and Sina Table widgets in the plugin settings or deactivate the plugin entirely to prevent further script injection.", "Review all entries in the Sina Posts, Sina Blog Post and Sina Table widgets for stored scripts and manually remove any malicious code that may already have been inserted."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting allowing arbitrary JavaScript injection that executes for any page visitor"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the shaonsina Sina Extension for Elementor plugin. All plugin versions up to and including 3.7.0 contain the flaw. The affected components are the header builder, footer builder, theme builder, slider, gallery, form, modal, data table free Elementor widgets and Elementor templates that expose the vulnerable Sina Posts, Sina Blog Post and Sina Table widgets.", "description_and_impact": "The vulnerability stems from insufficient input sanitization and output escaping in the Sina Posts, Sina Blog Post and Sina Table widgets, enabling an authenticated Contributor or administrator to store arbitrary JavaScript code in the plugin\u2019s database fields. When a user visits a page containing the injected content, the stored script executes in the visitor\u2019s browser. This stored XSS flaw allows attackers to run malicious client\u2011side code whenever the affected page is rendered.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity, while an EPSS score of <1% reflects a low likelihood of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog, suggesting it has not yet been widely abused. Attackers must be authenticated with Contributor level or higher access on the WordPress site to inject payloads, so the attack vector is limited to privileged users. However, once injected, the JavaScript will run for all visitors to the page, reflecting the potential impact on confidentiality and integrity of the site\u2019s front\u2011end content."}}}}, "created": "2025-08-04T08:58:51.563015+00:00", "updated": "2026-04-20T22:15:06.185310+00:00", "vendors": ["shaosina", "shaosina$PRODUCT$sina_extension_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}