Sky Addons
Moderate fix1 remedy
cpe:2.3:a:wowdevs:sky_addons_for_elementor:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.3.2
Sky Addons WordPress Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Sky Addons plugin for WordPress, affecting all versions through 3.3.2. The issue arises in the 'sky-custom-scripts' custom post type, which is registered with 'capability_type' set to 'post' and 'show_in_rest' enabled. This configuration, coupled with inadequate input sanitization of the 'sky_script_content' meta field and insufficient output escaping when scripts are rendered on the frontend, allows authenticated attackers with Author-level access and above to inject arbitrary web scripts via the REST API. These scripts execute on every frontend page, impacting all site visitors.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.
Remediation
Users are advised to update the Sky Addons WordPress plugin to version 3.3.3 or a newer patched version.
Added: May 8, 2026, 10:23 AM
Updated: May 8, 2026, 10:23 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
1.7exploitability
5.8remediation
7.7relevance
7.8threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.