CVE-2021-24504
Last modified
CVE-2021-24504 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated). EPSS estimates a 0.76% chance of exploitation in the next 30 days.
Description
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wplearnmanager | Wp Learn Manager | <= 1.1.2 |
References
- https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24504?
How severe is CVE-2021-24504?
How do I fix CVE-2021-24504?
Are you affected by CVE-2021-24504?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST