Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows Stored XSS.This issue affects SKT Skill Bar: from n/a through <= 2.3.
Published: 2025-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SKT Skill Bar plugin contains a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation. This weakness permits an attacker to inject malicious script that will run in the context of any authenticated or unauthenticated visitor of the impacted WordPress site, enabling data theft, session hijacking, or defacement. The vulnerability is classified as CWE‑79.

Affected Systems

Any WordPress site that has installed the sonalsinha21 SKT Skill Bar plugin with a version of 2.3 or earlier is affected. The plugin is listed under the vendor "sonalsinha21:SKT Skill Bar". No specific sub‑versions are enumerated beyond the <=2.3 cap.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity, while the EPSS score of less than 1% shows a very low current exploitation probability. This vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a stored XSS via plugin input fields; an attacker must first inject the payload, which then persists and is served to any user visiting the affected page.

Generated by OpenCVE AI on May 1, 2026 at 10:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SKT Skill Bar plugin to a version newer than 2.3, which incorporates the XSS fix.
  • If an upgrade cannot be performed immediately, disable or remove the plugin to eliminate the vulnerability.
  • Deploy a web application firewall or configure a Content Security Policy that rejects unsanitized script injection on the site.

Generated by OpenCVE AI on May 1, 2026 at 10:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11122 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows Stored XSS.This issue affects SKT Skill Bar: from n/a through <= 2.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.3.
Title WordPress SKT Skill Bar plugin <= 2.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:42.000Z

Reserved: 2025-02-17T11:50:22.449Z

Link: CVE-2025-26880

cve-icon Vulnrichment

Updated: 2025-04-16T13:56:27.407Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:17.643

Modified: 2026-06-17T09:02:32.373

Link: CVE-2025-26880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')