Vulnerability Details CVE-2021-24504
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 76.4%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
Products affected by CVE-2021-24504
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.0
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.2
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.3
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.4
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.5
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.6
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.7
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.8
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.9
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.0
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.1
-
cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.2