CVE-2026-2687

The Reading progressbar WordPress plugin prior to version 1.3.1 fails to sanitize and escape certain settings before saving them. This lack of output encoding allows an administrator to inject arbitrary JavaScript or HTML into the plugin's configuration, which is then stored and executed when the settings page is viewed or the progress bar is rendered on the front end. The vulnerability is particularly significant because it bypasses the unfiltered_html capability restriction, meaning it can be exploited in multisite installations where super admins typically have that capability but regular admins do not [1].

Exploitation

An attacker must have administrator-level access to the WordPress site. No other authentication or network position is required beyond the admin panel. The attacker can craft a malicious payload in one of the plugin's settings fields; because the plugin does not sanitize or escape the input, the payload is stored and later executed in the browser of any user who views the affected page. The proof of concept demonstrates that the attack is straightforward and does not require special privileges beyond admin [1].

Impact

Successful exploitation results in stored cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or redirection to malicious sites. Since the attack is stored, it can affect multiple users, including other administrators and site visitors, without requiring social engineering beyond normal page visits.

Mitigation

The vulnerability is fixed in version 1.3.1 of the Reading progressbar plugin. Users should update immediately. No workarounds are documented; the only reliable mitigation is to apply the patch. The plugin's vendor has released the fix, and the vulnerability was publicly disclosed on 2026-02-19 [1].