WordPress Plugin Vulnerabilities

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) < 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Fancy Text Widget` And `Countdown Widget`

Description

The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Fancy Text Widget` And `Countdown Widget` DOM attributes in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
sina-extension-for-elementor
Fixed in 3.7.1

References

CVE
CVE-2025-6229
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/78b444a2-e5d7-4c3a-86a4-c215c54687a2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
baa8c282-49e8-45de-ac7b-3d5e7b1c067c

Timeline

Publicly Published
2026-03-22 (about 2 months ago)
Added
2026-03-22 (about 2 months ago)
Last Updated
2026-03-23 (about 2 months ago)

Other

Published
Title
Published
2022-12-15
Title
404 to Start <= 1.6.1 - Admin+ Stored XSS
Published
2024-04-29
Title
Front Editor < 4.4.8 - Admin+ Stored XSS
Published
2025-01-03
Title
Private Messages for UserPro <= 4.10.0 - Reflected Cross-Site Scripting
Published
2026-02-10
Title
Download Manager < 3.3.54 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2025-05-07
Title
JupiterX Core < 4.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting