CVE-2024-38698: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in SKT Themes SKT Skill Bar WordPress plugin versions up to 2.0. The vulnerability was initially reported by Jean Tirstan T on February 27, 2024, and was publicly disclosed on July 11, 2024. The issue was assigned CVE-2024-38698 and affects all versions of SKT Skill Bar through version 2.0 (Patchstack Report).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue, identified as CWE-79. It received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor-level privileges or higher to exploit (Patchstack Report).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered to have low severity and is deemed unlikely to be exploited (Patchstack Report).

Users are advised to update to SKT Skill Bar version 2.1 or later to remediate this vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack Report).