Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows Stored XSS.This issue affects SKT Blocks: from n/a through <= 2.0.
Published: 2025-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the SKT Blocks Gutenberg‑based page builder plugin and allows an attacker to store malicious script code within the site’s content, which is later rendered unescaped to visitors. Once executed, a stored XSS can steal cookies, session data, modify page content, or redirect users to malicious sites. The weakness is a classic Improper Neutralization of Input During Web Page Generation, classified as CWE‑79, and it can affect the confidentiality, integrity, and availability of the web application.

Affected Systems

Any WordPress installation that has the SKT Blocks plugin version 2.0 or earlier installed is vulnerable. The plugin is distributed by sonalsinha21 under the SKT Themes brand and can be found in the WordPress plugin repository and the SKT Blocks cpe namespace.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk level. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, and the vulnerability is not listed as a known exploited target in the CISA KEV catalog. Based on the description, the attack is likely carried out by an authenticated user who can inject input into cached or persistent fields associated with the plugin, or, alternatively, a visitor who can trick the site into executing previously injected content.

Generated by OpenCVE AI on April 30, 2026 at 21:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SKT Blocks to the latest version released by the vendor, or apply any patch that addresses stored XSS injection.
  • If a patch is not yet available or the plugin is not required, remove or disable the SKT Blocks plugin entirely to eliminate the attack surface.
  • Configure a Content Security Policy that disallows inline scripts and restricts script sources to trusted domains, and verify that WordPress core and all plugins are kept up to date to reduce similar vulnerabilities.

Generated by OpenCVE AI on April 30, 2026 at 21:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12319 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows Stored XSS.This issue affects SKT Blocks: from n/a through <= 2.0.
Title WordPress SKT Blocks – Gutenberg based Page Builder <= 2.0 - Cross Site Scripting (XSS) Vulnerability WordPress SKT Blocks – Gutenberg based Page Builder plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 30 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Sktthemes
Sktthemes skt Blocks
CPEs cpe:2.3:a:sktthemes:skt_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Sktthemes
Sktthemes skt Blocks

Tue, 22 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 2.0.
Title WordPress SKT Blocks – Gutenberg based Page Builder <= 2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Sktthemes Skt Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:36.748Z

Reserved: 2025-04-22T09:21:32.318Z

Link: CVE-2025-46235

cve-icon Vulnrichment

Updated: 2025-04-22T14:17:14.096Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:16.753

Modified: 2026-04-23T15:29:55.400

Link: CVE-2025-46235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses