CVE-2025-60138

The SKT Blocks plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker with the required privileges to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users visit the affected page.

Exploitation requires an authenticated user with the appropriate role to perform an action, such as clicking a malicious link or submitting a crafted form [1]. The vulnerability is particularly concerning because it is used in mass-exploit campaigns targeting thousands of websites, regardless of their size or popularity [1].

Successful exploitation enables an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which are executed in the context of the victim's browser when they access the compromised page [1]. This can lead to defacement, data theft, or further compromise of the site.

As an immediate mitigation, users should update the SKT Blocks plugin to a version newer than 2.6 [1]. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance [1].