CVE-2025-47482

Vulnerability

Overview The SKT Skill Bar plugin for WordPress, versions up to and including 2.4, suffers from a Stored Cross-Site Scripting (XSS) vulnerability. This is caused by improper neutralization of user-supplied input during web page generation, meaning the plugin fails to sanitize or escape data before outputting it in a page context. This CVE is classified as a Stored XSS issue, identified in reference [1].

Exploitation

Requirements Exploitation requires a user with administrative or similar privileged role to perform an action, such as clicking a malicious link or submitting a crafted form. The attack vector is over the network, and the complexity is considered low. No authentication is required from the attacker beyond the initial privileged user interaction, but successful exploitation depends on a user with sufficient privileges triggering the injected script. Reference [1] describes this as requiring a privileged user to initiate an action.

Impact

An attacker can inject arbitrary JavaScript into vulnerable pages. When other users (including site visitors) access the affected page, the malicious script executes in their browser. This can lead to common XSS impacts: redirection to malicious sites, display of advertisements, defacement, or theft of session cookies and credentials. The potential for mass exploitation exists, as noted in reference [1], which warns of campaigns targeting thousands of websites.

Mitigation

The vulnerability is fixed in version 2.5 of the SKT Skill Bar plugin. Users are strongly advised to update immediately. If updating is not possible, consult a hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins. The vulnerability has a CVSS v3 score of 6.5 (Medium), and while described as having low exploitation likelihood, the presence in a widely-used plugin elevates the risk.