CVE-2023-0236
published 2023-02-06CVE-2023-0236: The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes…
PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.35%
67.9th percentile
The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themeum | tutor_lms | < 2.0.10 | 2.0.10 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Tutor LMS <2.0.10 - Cross Site Scripting
nuclei·CVSS 6.1
CVE-2023-0236 [MEDIUM] WordPress Tutor LMS <2.0.10 - Cross Site Scripting
WordPress Tutor LMS ")'
- 'contains(body_2, "Instructor Registration")'
condition: and
# digest: 4a0a00473045022100c2fc49acf4444156e173a5748b301a47c3e34c175ce3f0b37592a9cf3897e611022068e60d31ea44c515ab04f2e069b88a390270c4e4ccc8ff09a8731cfd50d7b1e4:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-02-06
Published