CVE-2026-2687 - Vulnerability Details

The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/

History

Thu, 12 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title		Reading progressbar < 1.3.1 - Admin+ Stored XSS
References		https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-03-12T06:00:11.992Z

Updated: 2026-03-12T06:00:11.992Z

Reserved: 2026-02-18T14:09:37.224Z

Link: CVE-2026-2687

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-12T06:16:30.613

Modified: 2026-03-12T06:16:30.613

Link: CVE-2026-2687

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object