The Reading progressbar WordPress plugin prior to version 1.3.1 fails to sanitize and escape certain configuration inputs, allowing high‑privilege users such as administrators to inject arbitrary JavaScript that is subsequently stored in the database. This Stored Cross‑Site Scripting (CWE‑79) can be used to hijack user sessions, steal credentials or modify site content when the vulnerable settings are rendered, even if the unfiltered_html capability is disabled in a multisite environment.

The vulnerability affects the Reading progressbar WordPress plugin before version 1.3.1. No specific vendor name is available; the affected product is identified as Unknown:Reading progressbar. Users running any installation of this plugin whose version is older than 1.3.1 are potentially impacted.

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood that this vulnerability will be actively exploited in the wild. The exploit is application‑layer and requires an authenticated user with administrative privileges, which limits the attack surface. However, because the attack can lead to stored code execution in the browser, any compromised administrator could use the vulnerability to compromise other users or the site. The vulnerability is not listed in the CISA KEV catalog, indicating that there are no publicly documented exploits targeting this flaw as of the data available.