Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS.
This issue affects Progress Planner: from n/a through 1.9.0.
AnalysisAI
Stored XSS in the Progress Planner WordPress plugin (versions through 1.9.0) enables a high-privileged attacker to inject persistent malicious scripts into web pages served to other users. Because the scope is marked Changed (S:C), the injected payload executes in the context of lower-privileged site visitors, not just the attacker's session, crossing the admin-to-user security boundary. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Progress Planner is a WordPress plugin developed by Emilia Projects, designed for task and progress tracking within WordPress dashboards. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the stored variant, meaning attacker-controlled input is persisted to the database and later reflected unsanitized into generated HTML. The CVSS vector AV:N/AC:L/PR:H/UI:R/S:C confirms the attack originates over the network, requires no special conditions beyond having high-privilege access (e.g., administrator role), and affects a downstream user component when the stored payload is rendered. The Changed scope indicates the impact extends beyond the plugin's own execution context - a hallmark of stored XSS where admin-injected payloads target lower-privileged users browsing the site.
RemediationAI
Update the Progress Planner plugin to a version above 1.9.0; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/progress-planner/vulnerability/wordpress-progress-planner-plugin-1-9-0-cross-site-scripting-xss-vulnerability should be consulted for the exact patched release, as no specific fixed version number was confirmed in the available input data. As a compensating control prior to patching, restrict the WordPress administrator role to the minimum necessary set of trusted accounts - this directly addresses the PR:H requirement and prevents untrusted parties from injecting stored payloads. Additionally, deploying a web application firewall rule to detect and block XSS payload patterns in plugin input fields can provide partial mitigation, though WAF bypass is possible and should not substitute for patching. Content Security Policy (CSP) headers configured to restrict inline script execution can limit the impact of any stored payloads that do reach end users.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33929
GHSA-mgw3-wpm6-x49w