WordPress Plugin Vulnerabilities

Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Affects Plugins

Plugin icon
tutor
Fixed in 2.3.0

References

CVE
CVE-2023-4805

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
emad-fazel
Submitter
emad-fazel
Submitter website
http://arganex.top/
Verified
Yes
WPVDB ID
1049e940-49b1-4236-bea2-c636f35c5647

Timeline

Publicly Published
2023-09-25 (about 2 years ago)
Added
2023-09-25 (about 2 years ago)
Last Updated
2023-09-25 (about 2 years ago)

Other

Published
Title
Published
2025-03-24
Title
Pretty file links <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-02
Title
Block Controller <= 1.4.3 - Reflected Cross-Site Scripting
Published
2023-09-11
Title
Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
Published
2024-03-29
Title
WooCommerce Bookings Calendar <= 1.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-11
Title
Porto Theme - Functionality <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting