Description
The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every frontend page for all site visitors.
Published: 2026-05-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Requests to the Sky Addons plugin allow an authenticated user with Author or higher role to store arbitrary JavaScript code in the custom post type `sky-custom-scripts`. The code is later rendered without escaping, so any visitor loading a page that displays the script will execute the attacker’s payload. This vulnerability gives an attacker the ability to deface the frontend, steal user session cookies, or load malicious resources, compromising confidentiality and integrity for visitors.

Affected Systems

The Sky Addons – Elementor Addons with Widgets & Templates plugin from wowdevs, all versions up to and including 3.3.2 are affected. Versions 3.3.3 and newer are not vulnerable.

Risk and Exploitability

The CVSS base score is 6.4, indicating a medium to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the REST API, inferred from the requirement that the attacker must be authenticated and that the vulnerability is exploited via the custom post type’s REST endpoint. Exploitation requires the attacker to have Author or higher role, which is a common role on many sites, increasing the practical risk.

Generated by OpenCVE AI on May 8, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Sky Addons to version 3.3.3 or newer.
  • Restrict or remove the default capabilities for the `sky-custom-scripts` custom post type to prevent Authors from adding scripts.
  • Remove or sanitize the `sky_script_content` field and implement proper output escaping within the plugin.

Generated by OpenCVE AI on May 8, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every frontend page for all site visitors.
Title Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-08T12:12:36.653Z

Reserved: 2026-04-29T21:17:57.613Z

Link: CVE-2026-7475

cve-icon Vulnrichment

Updated: 2026-05-08T12:12:33.080Z

cve-icon NVD

Status : Received

Published: 2026-05-08T10:16:29.440

Modified: 2026-05-08T10:16:29.440

Link: CVE-2026-7475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T11:30:07Z

Weaknesses