CVE-2024-38698

The SKT Skill Bar plugin for WordPress versions through 2.0 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of users who view the affected page [1].

Exploitation requires an authenticated user with the appropriate role (e.g., Contributor) to inject the malicious payload. However, successful execution of the stored script depends on a privileged user—such as an administrator—performing an action like clicking a malicious link, visiting a crafted page, or submitting a form. This user interaction is necessary to trigger the stored XSS [1].

If exploited, an attacker can inject malicious scripts that execute when visitors access the compromised page. This can lead to redirects to malicious sites, display of unwanted advertisements, or other HTML payloads, potentially compromising the site's integrity and user trust [1].

The vulnerability has been addressed in version 2.1 of the plugin. Users are strongly advised to update to this version or later. For those unable to update immediately, Patchstack offers a mitigation rule to block attacks until the update is applied [1].