Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar progress-bar allows Stored XSS.This issue affects Progress Bar: from n/a through <= 2.2.3.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing stored cross-site scripting. An attacker can inject malicious scripts into content handled by the Progress Bar plugin, causing those scripts to execute in the browsers of any user who views the affected page. This may lead to session hijacking, defacement, or other malicious actions, depending on the victim’s session and privileges. The weakness corresponds to CWE-79, and the likely attack vector is the plugin’s input channels, where a malicious user injects scripts that are stored and later rendered unfiltered.

Affected Systems

The affected product is the Progress Bar plugin by Chris Reynolds, all versions from the earliest release up through 2.2.3. Any installation of the plugin within this version range is susceptible until an update that addresses the flaw is installed or the plugin is removed.

Risk and Exploitability

The CVSS score of 6.5 denotes a medium‑severity risk. The EPSS score of less than 1% indicates a low probability of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to submit malicious content via the plugin’s input mechanisms; the plugin then renders that content unfiltered when generating a page. If such content is inserted, the stored XSS will execute in every visitor’s browser, potentially compromising user credentials and site integrity.

Generated by OpenCVE AI on May 2, 2026 at 01:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or repository for an available update that addresses the stored XSS issue and install it as soon as possible.
  • If no update is available, restrict the use of the plugin or configure it to sanitize all input data until a fix is released.
  • Search the site for any stored scripts or suspicious content added by the plugin and remove or neutralize them.
  • If the plugin is not essential to site operation, consider disabling or uninstalling it to eliminate the risk.

Generated by OpenCVE AI on May 2, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13868 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar allows Stored XSS. This issue affects Progress Bar: from n/a through 2.2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar allows Stored XSS. This issue affects Progress Bar: from n/a through 2.2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar progress-bar allows Stored XSS.This issue affects Progress Bar: from n/a through <= 2.2.3.
Title WordPress Progress Bar <= 2.2.3 - Cross Site Scripting (XSS) Vulnerability WordPress Progress Bar plugin <= 2.2.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar allows Stored XSS. This issue affects Progress Bar: from n/a through 2.2.3.
Title WordPress Progress Bar <= 2.2.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:40.901Z

Reserved: 2025-05-07T09:38:32.078Z

Link: CVE-2025-47441

cve-icon Vulnrichment

Updated: 2025-05-07T17:21:48.499Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:15:58.197

Modified: 2026-04-23T15:30:13.240

Link: CVE-2025-47441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses