{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2687", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-18T14:09:37.224Z", "datePublished": "2026-03-12T06:00:11.992Z", "dateUpdated": "2026-03-12T13:39:16.674Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-12T06:00:11.992Z"}, "title": "Reading progressbar < 1.3.1 - Admin+ Stored XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Reading progressbar", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "1.3.1"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "references": [{"url": "https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Krugov Artyom", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:39:13.082159Z", "id": "CVE-2026-2687", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:39:16.674Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2687", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:39:13.082159Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:39:07.091Z"}}], "cna": {"title": "Reading progressbar < 1.3.1 - Admin+ Stored XSS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Krugov Artyom"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Reading progressbar", "versions": [{"status": "affected", "version": "0", "lessThan": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-12T06:00:11.992Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2687", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:39:16.674Z", "dateReserved": "2026-02-18T14:09:37.224Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-12T06:00:11.992Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}, {"lang": "es", "value": "El plugin de WordPress Reading progressbar anterior a la versi\u00f3n 1.3.1 no sanea ni escapa algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con altos privilegios, como el administrador, realizar ataques de cross-site scripting almacenado incluso cuando la capacidad unfiltered_html est\u00e1 deshabilitada (por ejemplo, en una configuraci\u00f3n multisitio)."}], "id": "CVE-2026-2687", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-12T06:16:30.613", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.3.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "Reading progressbar", "source": "cna", "vendor": "Unknown"}, "product": "reading_progressbar", "vendor": "reading_progressbar"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T14:59:35.716067+00:00", "value": {"mitigation_remediation": ["Upgrade the Reading progressbar plugin to version 1.3.1 or newer.", "If upgrade is not possible, disable or uninstall the plugin to prevent stored XSS.", "Restrict the use of high\u2011privilege roles to only those who absolutely need them.", "Implement a Content Security Policy that disallows inline scripts to mitigate XSS impact.", "Regularly review user activity logs for suspicious script injections."], "summary": {"action": "Upgrade Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Reading progressbar WordPress plugin before version 1.3.1. No specific vendor name is available; the affected product is identified as Unknown:Reading progressbar. Users running any installation of this plugin whose version is older than 1.3.1 are potentially impacted.", "description_and_impact": "The Reading progressbar WordPress plugin prior to version 1.3.1 fails to sanitize and escape certain configuration inputs, allowing high\u2011privilege users such as administrators to inject arbitrary JavaScript that is subsequently stored in the database. This Stored Cross\u2011Site Scripting (CWE\u201179) can be used to hijack user sessions, steal credentials or modify site content when the vulnerable settings are rendered, even if the unfiltered_html capability is disabled in a multisite environment.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood that this vulnerability will be actively exploited in the wild. The exploit is application\u2011layer and requires an authenticated user with administrative privileges, which limits the attack surface. However, because the attack can lead to stored code execution in the browser, any compromised administrator could use the vulnerability to compromise other users or the site. The vulnerability is not listed in the CISA KEV catalog, indicating that there are no publicly documented exploits targeting this flaw as of the data available."}}}}, "created": "2026-03-13T09:53:29.940752+00:00", "updated": "2026-03-20T15:35:59.481175+00:00", "vendors": ["reading_progressbar", "reading_progressbar$PRODUCT$reading_progressbar", "wordpress", "wordpress$PRODUCT$wordpress"]}