CVE-2026-13443
Last modified
CVE-2026-13443 is a medium-severity vulnerability rated 6.4/10 on the CVSS scale. The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.. EPSS estimates a 0.21% chance of exploitation in the next 30 days.
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution | <= 3.9.13 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13443?
How severe is CVE-2026-13443?
How do I fix CVE-2026-13443?
Related CVEs from 2026
- CVE-2026-1343IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.2
- CVE-2026-13430The Post Export Import with Media plugin for WordPress is vu…7.2
- CVE-2026-13434A flaw was found in KubeVirt's network annotation generator.…4.9
- CVE-2026-13437Insertion of sensitive information into sent data in the AI …6.5
- CVE-2026-1344Tanium addressed an insecure file permissions vulnerability …5.5
- CVE-2026-13441The EventPrime – Events Calendar, Bookings and Tickets plugi…7.2
- CVE-2026-13449IBM Business Automation Manager Open Editions 9.0.0 through …9.1
- CVE-2026-1345IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.3
- CVE-2026-13450The GamiPress – Gamification plugin to reward points, achiev…5.3
- CVE-2026-13454The MotoPress Appointment Booking plugin for WordPress is vu…6.5
- CVE-2026-13455PostgreSQL Anonymizer contains a vulnerability that allows u…4.3
- CVE-2026-13459The JetFormBuilder — Dynamic Blocks Form Builder plugin for …5.3
Are you affected by CVE-2026-13443?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
