CVE-2021-24702 — Cross-site Scripting in Learnpress

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 57.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thimpress Learnpress Learnpress

Timeline

PublishedOct 18

Latest updateMay 24

Description

The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶NVDthimpress/learnpress< 4.1.3.1

▶CVEListV5learnpress/learnpress4.1.3.1 — 4.1.3.1

🔴Vulnerability Details

GHSA

GHSA-rm8g-jg4c-wrr9: The LearnPress WordPress plugin before 4↗2022-05-24

▶

CVEList

LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting↗2021-10-18

▶