Skip to main content

Progress Planner CVE-2026-28116

| EUVDEUVD-2026-33929 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 audit@patchstack.com GHSA-mgw3-wpm6-x49w
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 14:37 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS.

This issue affects Progress Planner: from n/a through 1.9.0.

AnalysisAI

Stored XSS in the Progress Planner WordPress plugin (versions through 1.9.0) enables a high-privileged attacker to inject persistent malicious scripts into web pages served to other users. Because the scope is marked Changed (S:C), the injected payload executes in the context of lower-privileged site visitors, not just the attacker's session, crossing the admin-to-user security boundary. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Progress Planner is a WordPress plugin developed by Emilia Projects, designed for task and progress tracking within WordPress dashboards. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the stored variant, meaning attacker-controlled input is persisted to the database and later reflected unsanitized into generated HTML. The CVSS vector AV:N/AC:L/PR:H/UI:R/S:C confirms the attack originates over the network, requires no special conditions beyond having high-privilege access (e.g., administrator role), and affects a downstream user component when the stored payload is rendered. The Changed scope indicates the impact extends beyond the plugin's own execution context - a hallmark of stored XSS where admin-injected payloads target lower-privileged users browsing the site.

RemediationAI

Update the Progress Planner plugin to a version above 1.9.0; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/progress-planner/vulnerability/wordpress-progress-planner-plugin-1-9-0-cross-site-scripting-xss-vulnerability should be consulted for the exact patched release, as no specific fixed version number was confirmed in the available input data. As a compensating control prior to patching, restrict the WordPress administrator role to the minimum necessary set of trusted accounts - this directly addresses the PR:H requirement and prevents untrusted parties from injecting stored payloads. Additionally, deploying a web application firewall rule to detect and block XSS payload patterns in plugin input fields can provide partial mitigation, though WAF bypass is possible and should not substitute for patching. Content Security Policy (CSP) headers configured to restrict inline script execution can limit the impact of any stored payloads that do reach end users.

Share

CVE-2026-28116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy