CVE-2026-2687

MEDIUM 4.3

Reading progressbar < 1.3.1 - Admin+ Stored XSS

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Vendor	unknown
Product	reading progressbar
Published	Mar 12, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for unknown reading progressbar

Be the first to know when new medium vulnerabilities affecting unknown reading progressbar are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Reading progressbar

0 < 1.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/

Credits

Krugov Artyom WPScan