Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS.

This issue affects Progress Planner: from n/a through 1.9.0.
Published: 2026-06-02
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Progress Planner plugin for WordPress contains an improper neutralization of input during web page generation that allows stored cross‑site scripting. The flaw permits an attacker to inject malicious JavaScript into planner data fields, which is then rendered within the site’s pages for all visitors. When an authenticated user inserts attacker‑controlled input, any browser that later views the contaminated planner content will execute the injected script, potentially hijacking user sessions, stealing cookies, defacing the interface, or redirecting traffic.

Affected Systems

The vendor responsible for the vulnerability is Emilia Projects, which distributes the Progress Planner WordPress plugin. All versions from the earliest available release up to and including 1.9.0 are vulnerable. The affected product is the WordPress Progress Planner plugin, with the specific version range n/a through 1.9.0.

Risk and Exploitability

The CVSS base score of 5.9 indicates a moderate risk level, although the EPSS score is not available. The vulnerability is not yet listed in CISA’s KEV catalog. Exploitation requires the attacker to post malicious content via the plugin’s input forms, which typically needs administrator privileges on the target WordPress site or an account with permission to create or edit planner entries. Once the payload is stored, it will affect every subsequent user who views the altered planner entries, making the attack scalable to all site visitors.

Generated by OpenCVE AI on June 2, 2026 at 15:21 UTC.

Remediation

Vendor Solution

Update the WordPress Progress Planner Plugin to the latest available version (at least 1.9.1).

OpenCVE Recommended Actions

  • Upgrade the WordPress Progress Planner Plugin to version 1.9.1 or later to eliminate the stored XSS flaw.
  • Scan all existing planner entries for embedded JavaScript or unexpected HTML tags and remove or sanitize any that remain; consider replacing the content with safe, plain‑text versions.
  • Restrict the plugin’s front‑end and back‑office access to trusted users only, enforce strong authentication, and keep WordPress and all other plugins updated to their latest stable releases.

Generated by OpenCVE AI on June 2, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Emiliaprojects
Emiliaprojects progress Planner
Wordpress
Wordpress wordpress
Vendors & Products Emiliaprojects
Emiliaprojects progress Planner
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS. This issue affects Progress Planner: from n/a through 1.9.0.
Title WordPress Progress Planner plugin <= 1.9.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Emiliaprojects Progress Planner
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T15:13:53.750Z

Reserved: 2026-02-25T12:14:07.578Z

Link: CVE-2026-28116

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:50.310

Modified: 2026-06-02T14:43:49.920

Link: CVE-2026-28116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses