Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. Rayhan(thecrazycoder) CC Circle Progress Bar cc-circle-progress-bar allows Stored XSS.This issue affects CC Circle Progress Bar: from n/a through <= 1.0.0.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CC Circle Progress Bar plugin for WordPress allows attackers to store malicious script payloads in the web page because it fails to properly neutralize user input. This stored XSS flaw (CWE‑79) enables a malicious actor to inject arbitrary JavaScript that runs with the privileges of anyone who views the affected page. The consequences include cookie theft, session hijacking, defacement, and the execution of further client‑side attacks.

Affected Systems

The vulnerability affects WordPress installations running the CC Circle Progress Bar plugin version 1.0.0 and earlier, developed by Harun R. Rayhan (thecrazycoder). No later versions are documented as affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation under current conditions. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit the vulnerability by inserting malicious input through the plugin’s configuration or content fields; the payload is persisted and executed whenever the affected page is rendered, requiring the victim to view the page.

Generated by OpenCVE AI on May 2, 2026 at 06:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CC Circle Progress Bar plugin to the latest available version that removes the XSS flaw
  • If an update is not available, uninstall or disable the plugin to eliminate the attack vector
  • As an additional safeguard, ensure that any user‑provided data through the plugin is sanitized or that only users with appropriate capabilities can modify the plugin settings

Generated by OpenCVE AI on May 2, 2026 at 06:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3551 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. Rayhan (Cr@zy Coder) CC Circle Progress Bar allows Stored XSS.This issue affects CC Circle Progress Bar: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. Rayhan (Cr@zy Coder) CC Circle Progress Bar allows Stored XSS.This issue affects CC Circle Progress Bar: from n/a through 1.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. Rayhan(thecrazycoder) CC Circle Progress Bar cc-circle-progress-bar allows Stored XSS.This issue affects CC Circle Progress Bar: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harun R. Rayhan (Cr@zy Coder) CC Circle Progress Bar allows Stored XSS.This issue affects CC Circle Progress Bar: from n/a through 1.0.0.
Title WordPress CC Circle Progress Bar plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:39:21.130Z

Reserved: 2025-01-16T11:32:32.178Z

Link: CVE-2025-23936

cve-icon Vulnrichment

Updated: 2025-01-17T17:15:44.235Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:35.677

Modified: 2026-06-17T08:57:45.603

Link: CVE-2025-23936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')