Reading progressbar WordPress Plugin: Admin Privileges Exploit via Stored Malicious Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Reading progressbar WordPress Plugin: Admin Privileges Exploit via Stored Malicious Code

CVE-2026-2687

Summary

A security issue in the Reading progressbar WordPress plugin could allow an admin user to inject malicious code into the website, potentially taking control of the site. This could happen even if the site has strict security settings in place. WordPress users who have the Reading progressbar plugin installed should update to version 1.3.1 or higher to fix this issue.

Original title

Original description

The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://wpscan.com/vulnerability/af2e1249-2b69-47b6-85aa-9a6b30c51936/

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026