CVE-2026-7475
Stored XSS in Sky Addons WordPress Plugin
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sky_addons | plugin | to 3.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Sky Addons plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 3.3.2. This vulnerability arises because the plugin registers a custom post type with certain capabilities and enables REST API access, but it does not properly sanitize input or escape output for the 'sky_script_content' meta field. As a result, authenticated users with Author-level access or higher can inject malicious scripts via the REST API, which then execute on every frontend page for all visitors.
How can this vulnerability impact me? :
This vulnerability allows attackers with Author-level access or higher to inject arbitrary web scripts that execute on the frontend for all site visitors. This can lead to theft of user data, session hijacking, defacement of the website, or distribution of malware to visitors. Because the attack is stored and executed on every page, it can affect all users who visit the site.