Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows Stored XSS.This issue affects SKT Blocks: from n/a through <= 1.7.
Published: 2025-02-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows a stored XSS flaw in the SKT Blocks plugin. Malicious code entered through the plugin’s input fields can be saved and subsequently rendered in the browser of any user that views the affected content, providing attackers opportunities for session hijacking, defacement, or delivery of further malware. The weakness is a classic input validation flaw (CWE‑79).

Affected Systems

WordPress sites using the SKT Blocks plugin by sonalsinha21. All installed versions up to and including 1.7 are vulnerable; any higher version retains the fix.

Risk and Exploitability

The vulnerability has a CVSS v3.1 score of 6.5, indicating a medium‑severity risk. The EPSS score is less than 1%, suggesting that exploitation is currently rare, and it is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s administrative input interface, where attacker‑controlled data can be stored. Successful exploitation would affect all site visitors who load the affected pages. The risk is mitigated only by applying a fix or disabling the plugin.

Generated by OpenCVE AI on May 1, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SKT Blocks to the latest version that removes the XSS flaw (any release greater than 1.7).
  • If an upgrade cannot be performed immediately, disable or delete the plugin to eliminate the attack surface.
  • If content stored by the plugin has already been compromised, manually review and cleanse that data or apply a site‑wide script sanitization policy to strip dangerous HTML before rendering.

Generated by OpenCVE AI on May 1, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4875 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows Stored XSS.This issue affects SKT Blocks: from n/a through <= 1.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

 epss

{'score': 0.00024}

Wed, 21 May 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Sktthemes
Sktthemes skt Blocks
CPEs cpe:2.3:a:sktthemes:skt_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Sktthemes
Sktthemes skt Blocks

Tue, 18 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 17 Feb 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.7.
Title WordPress SKT Blocks plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Sktthemes Skt Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:40.627Z

Reserved: 2025-02-14T06:53:43.229Z

Link: CVE-2025-26771

cve-icon Vulnrichment

Updated: 2025-02-18T15:43:37.108Z

cve-icon NVD

Status : Modified

Published: 2025-02-17T12:15:28.833

Modified: 2026-04-23T15:25:57.157

Link: CVE-2025-26771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:15:20Z

Weaknesses