Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr Progress Tracker progress-tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through <= 0.9.3.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improperly neutralized input during web page generation allows an attacker to inject malicious JavaScript into the Progress Tracker plugin interface. The vulnerability is a DOM‑based XSS that can execute arbitrary client‑side code when an affected user visits a crafted link or interacts with vulnerable input fields. An attacker could perform session hijacking, defacement, or phishing by delivering the attacker’s script inside the plugin’s output.

Affected Systems

WordPress Progress Tracker plugin, versions up to 0.9.3, supplied by Alex Furr. The issue exists in all releases from the initial deployment through 0.9.3 inclusive.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑severe risk. The EPSS score is below 1 %, suggesting that automatic exploitation is unlikely but still possible if an attacker can entice users to visit a malicious URL. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires a victim to load the victim‑containing page; an attacker can typically influence the URL or form input that the plugin processes, making the attack vector “client‑side” and dependent on user interaction.

Generated by OpenCVE AI on May 1, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Progress Tracker plugin to version 1.0.0 or later, which removes the DOM‑based XSS flaw.
  • If an immediate upgrade is not possible, ensure that any user‑supplied input processed by the plugin is properly escaped or sanitized before rendering to prevent script injection.
  • Implement a strict Content‑Security‑Policy header to restrict the execution of inline scripts and disallow unsafe directives, adding an additional layer of protection against XSS.

Generated by OpenCVE AI on May 1, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3510 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr Progress Tracker progress-tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through <= 0.9.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alex Furr and Simon Ward Progress Tracker allows DOM-Based XSS.This issue affects Progress Tracker: from n/a through 0.9.3.
Title WordPress Progress Tracker plugin <= 0.9.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:44:00.586Z

Reserved: 2025-01-16T11:31:51.930Z

Link: CVE-2025-23892

cve-icon Vulnrichment

Updated: 2025-01-17T21:52:38.368Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:30.580

Modified: 2026-06-17T08:57:41.170

Link: CVE-2025-23892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')