CVE-2025-26998 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-26998?

CVE-2025-26998 has a CVSS score of 6.5 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in the SKT Blocks WordPress plugin allows attackers to inject malicious scripts into web pages. When users view pages containing the malicious content, their browsers execute the scripts, potentially compromising their accounts or sessions. All WordPress sites using SKT Blocks versions up to 1.8 are affected.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in the SKT Blocks WordPress plugin allows attackers to inject malicious scripts into web pages. When users view pages containing the malicious content, their browsers execute the scripts, potentially compromising their accounts or sessions. All WordPress sites using SKT Blocks versions up to 1.8 are affected.

💻 Affected Systems

Products:

SKT Blocks – Gutenberg based Page Builder WordPress plugin

Versions: All versions up to and including 1.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. The vulnerability is in the plugin's input handling during page generation.

📦 What is this software?

Skt Blocks by Sktthemes

View all CVEs affecting Skt Blocks →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over websites, deface content, redirect visitors to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, perform actions on behalf of authenticated users, or redirect users to phishing pages.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Stored XSS vulnerabilities are commonly exploited. While no public PoC is confirmed, the vulnerability type is well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/skt-blocks/vulnerability/wordpress-skt-blocks-gutenberg-based-page-builder-plugin-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SKT Blocks – Gutenberg based Page Builder'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.9+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the SKT Blocks plugin until patched

wp plugin deactivate skt-blocks

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Disable the SKT Blocks plugin immediately
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → SKT Blocks version. If version is 1.8 or lower, you are vulnerable.

Check Version:

wp plugin get skt-blocks --field=version

Verify Fix Applied:

Verify plugin version is 1.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress admin-ajax.php or admin-post.php containing script tags
Multiple failed login attempts following suspicious content updates

Network Indicators:

Outbound connections to unknown domains from WordPress server
Unexpected JavaScript includes in page responses

SIEM Query:

source="wordpress.log" AND ("skt-blocks" OR "admin-ajax.php") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2025-26998

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.13% exploit probability (32.5th percentile)

Published: April 15, 2025

Last Updated: May 21, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/skt-blocks/vulnerability/wordpress-skt-blocks-gutenberg-based-page-builder-plugin-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26998, you might also want to check these: