CVE-2025-3276 identifies a stored cross-site scripting (XSS) vulnerability in the SKT Blocks – Gutenberg based Page Builder plugin for WordPress, specifically within the Post Carousel block component. The root cause is improper neutralization of input during web page generation, classified under CWE-79. This vulnerability allows authenticated users with at least Contributor privileges to inject arbitrary JavaScript code into pages. The plugin fails to adequately sanitize user input and escape output, enabling malicious scripts to be stored persistently in the website content. When any user accesses a page containing the injected script, the malicious code executes in their browser context, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability affects all versions up to and including 1.9 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No public exploit code or active exploitation has been reported yet. The vulnerability was published on April 12, 2025, and assigned by Wordfence. The absence of patches at the time of reporting necessitates immediate attention from site administrators.

The impact of this vulnerability is significant for organizations running WordPress sites with the SKT Blocks plugin installed. Since the exploit requires only Contributor-level access, an attacker who can create or edit content can inject malicious scripts that execute for all visitors, including administrators. This can lead to session hijacking, credential theft, defacement, unauthorized actions, or distribution of malware. The compromise of administrative accounts could escalate the attack further, potentially leading to full site takeover. Given WordPress's widespread use globally, many websites—especially those with multiple content contributors—are at risk. The vulnerability undermines the confidentiality and integrity of user data and site content, though it does not directly impact availability. The medium CVSS score reflects the moderate ease of exploitation combined with the potential for impactful consequences. Organizations relying on this plugin for content management or marketing risk reputational damage and user trust erosion if exploited.

To mitigate this vulnerability, organizations should immediately upgrade the SKT Blocks plugin to a patched version once available. Until a patch is released, administrators should restrict Contributor-level access to trusted users only, minimizing the risk of malicious content injection. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the Post Carousel block can provide interim protection. Regularly audit user-generated content for suspicious scripts or anomalies. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Additionally, site owners should monitor logs for unusual activity and educate contributors about safe content practices. If feasible, temporarily disabling or removing the vulnerable Post Carousel block can eliminate the attack vector. Finally, ensure that WordPress core and all plugins are kept up to date to reduce exposure to known vulnerabilities.