Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows DOM-Based XSS.This issue affects SKT Blocks: from n/a through <= 2.2.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SKT Blocks plugin for WordPress includes a DOM‑based cross‑site scripting flaw caused by inadequate sanitization of user input. When a user visits a crafted URL or interacts with a page that contains malicious JavaScript, the script executes in the victim’s browser. This can lead to the theft of session cookies, credential compromise, or the execution of additional malicious payloads through the user’s session.

Affected Systems

All installations of the SKT Blocks plugin that are version 2.2 or earlier are affected. WordPress sites that have mounted any version of the plugin released by sonalsinha21 up to and including 2.2 are susceptible to this vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate severity risk. The EPSS score of less than 1% suggests that the likelihood of exploitation is low, and it is not listed in the CISA KEV catalog. Exploitation typically requires the attacker to supply a malicious payload through a URL or form that the plugin processes, so it is an injection type flaw (CWE‑79) that requires victim interaction and active use of the vulnerable plugin version.

Generated by OpenCVE AI on April 30, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SKT Blocks plugin to the latest version available (≥3.0).
  • If an upgrade cannot be performed immediately, temporarily disable or uninstall the plugin until a patched version is released.
  • Deploy or configure a web application firewall rule to block or sanitize input parameters that target the SKT Blocks plugin, specifically filtering common XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28187 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows DOM-Based XSS. This issue affects SKT Blocks: from n/a through 2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows DOM-Based XSS. This issue affects SKT Blocks: from n/a through 2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows DOM-Based XSS.This issue affects SKT Blocks: from n/a through <= 2.2.
Title WordPress SKT Blocks <= 2.2 - Cross Site Scripting (XSS) Vulnerability WordPress SKT Blocks plugin <= 2.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 09 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Sktthemes
Sktthemes skt Blocks
CPEs cpe:2.3:a:sktthemes:skt_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Sktthemes
Sktthemes skt Blocks

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows DOM-Based XSS. This issue affects SKT Blocks: from n/a through 2.2.
Title WordPress SKT Blocks <= 2.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Sktthemes Skt Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.531Z

Reserved: 2025-05-19T14:13:16.807Z

Link: CVE-2025-48270

cve-icon Vulnrichment

Updated: 2025-05-19T15:07:44.470Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T15:15:30.763

Modified: 2026-04-23T15:31:00.173

Link: CVE-2025-48270

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses