WordPress Plugin Vulnerabilities

SKT Skill Bar < 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The SKT Skill Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
skt-skill-bar
Fixed in 2.4

References

CVE
CVE-2025-26880
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/89acb513-60aa-49ad-8050-9dff1ce71cc5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
zaim
Verified
No
WPVDB ID
4cd25602-69dd-44be-b41c-b08009a66b68

Timeline

Publicly Published
2025-04-11 (about 11 months ago)
Added
2025-04-16 (about 11 months ago)
Last Updated
2025-04-16 (about 11 months ago)

Other

Published
Title
Published
2025-01-16
Title
SOCIAL.NINJA <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-26
Title
Product Feed PRO for WooCommerce by AdTribes – WooCommerce Product Feeds for Google, Facebook/Meta, Bing, & More < 13.2.6 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
Stray Random Quotes <= 1.9.9 - Reflected Cross-Site Scripting
Published
2023-10-29
Title
Related Products for WooCommerce < 3.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-11-11
Title
Photography < 7.7.4 - Reflected Cross-Site Scripting