CVE-2026-7475

Name of the Vulnerable Software and Affected Versions Sky Addons versions prior to 3.3.3

Description The Sky Addons plugin for WordPress allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts. This occurs because the sky-custom-scripts custom post type is registered with capability type => 'post' and show in rest => true, while the sky script content meta field lacks sufficient input sanitization and output escaping during frontend rendering. These scripts are executed on every frontend page for all site visitors via the REST API.

Recommendations Update the plugin to a version later than 3.3.2. As a temporary workaround, restrict access to the REST API or limit user permissions to prevent Author-level users from modifying the sky script content meta field.