CVE-2025-26998: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the SKT Blocks – Gutenberg based Page Builder WordPress plugin, identified as CVE-2025-26998. The vulnerability affects versions up to and including 1.8 of the plugin. The issue was discovered by researcher zaim and was publicly disclosed on April 11, 2025 (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 6.5 (Medium) from Patchstack. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality. The technical assessment indicates that the vulnerability requires authenticated access with contributor-level privileges or higher (NVD, Patchstack).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. This could potentially lead to the injection of malicious redirects, unauthorized advertisements, and other harmful HTML payloads that affect website visitors (Patchstack).

The vulnerability has been fixed in version 1.9 of the SKT Blocks – Gutenberg based Page Builder plugin. Website administrators are advised to update to version 1.9 or later to remediate this security issue. Patchstack users have the option to enable auto-updates for vulnerable plugins as an additional security measure (Patchstack).