Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows Stored XSS.This issue affects SKT Skill Bar: from n/a through <= 2.4.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SKT Skill Bar plugin for WordPress contains a stored cross‑site scripting flaw that allows an attacker to inject malicious JavaScript into the plugin’s data fields. Once stored, the script is served to every visitor who views a page that renders the plugin data, enabling attackers to steal session cookies, deface content, or hijack user sessions, thereby compromising confidentiality and integrity of the site.

Affected Systems

This vulnerability affects the SKT Skill Bar plugin distributed by sonalsinha21, with all releases up to and including version 2.4 deemed vulnerable; any WordPress installation using one of these versions is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The plugin is not listed in CISA's KEV catalog. The likely attack vector involves a user with content‑creation permissions injecting script payloads into the plugin’s fields, which are then rendered to all site visitors. No additional conditions beyond typical content‑submission privileges are required to exploit the flaw.

Generated by OpenCVE AI on April 30, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SKT Skill Bar plugin to a version newer than 2.4 or replace it with an alternate, vetted plugin.
  • Immediately deactivate or uninstall the vulnerable plugin on any WordPress site that is running an affected version.
  • Deploy a Content Security Policy that restricts inline scripts and unknown origins to mitigate potential XSS damage.

Generated by OpenCVE AI on April 30, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13839 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows Stored XSS.This issue affects SKT Skill Bar: from n/a through <= 2.4.
Title WordPress SKT Skill Bar <= 2.4 - Cross Site Scripting (XSS) Vulnerability WordPress SKT Skill Bar plugin <= 2.4 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Thu, 08 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar allows Stored XSS. This issue affects SKT Skill Bar: from n/a through 2.4.
Title WordPress SKT Skill Bar <= 2.4 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.620Z

Reserved: 2025-05-07T09:39:08.090Z

Link: CVE-2025-47482

cve-icon Vulnrichment

Updated: 2025-05-08T16:11:11.513Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:02.377

Modified: 2026-04-23T15:30:18.400

Link: CVE-2025-47482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:45:36Z

Weaknesses