CVE-2025-11883

The Responsive Progress Bar plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in its rprogress shortcode. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious script injection.

Authenticated attackers with contributor-level access or above can exploit this by injecting arbitrary web scripts via the shortcode. The injected scripts execute whenever a user accesses the affected page, requiring only the ability to create or edit posts with the shortcode.

Successful exploitation enables attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or further attacks on the WordPress site.

The plugin has been closed as of October 17, 2025, and is no longer available for download due to this security issue [1]. Users should remove or replace the plugin immediately to mitigate risk.