CVE-2025-66090

Vulnerability

Overview

The SKT Skill Bar WordPress plugin (versions up to and including 2.5) contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript or HTML payloads that execute in the context of a victim's browser when they visit a page using the plugin.

Exploitation

Details

Exploitation requires user interaction — a privileged user (such as an administrator) must perform an action like clicking a crafted link or submitting a malicious form [1]. The attack does not require authentication for the initial injection, but successful execution depends on the target user's session. The vulnerability is classified as DOM-based, meaning the payload is processed client-side without server-side sanitization.

Impact

An attacker who successfully exploits this vulnerability can inject malicious scripts that may redirect visitors to phishing sites, display unwanted advertisements, or steal sensitive session data [1]. The CVSS v3 score of 6.5 (Medium) reflects the need for user interaction and the potential for significant client-side impact.

Mitigation

The vendor has released version 2.6 which resolves the issue [1]. Users are strongly advised to update immediately. For those unable to update, disabling the plugin or seeking assistance from a hosting provider is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].