LearnDash < 3.1.2 – Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field. | CVE 2020-7108

Description

Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.

First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released same day.

This report is based on an email LearnDash sent out to their users on January 14, 2020.

Proof of Concept

From the Original Researcher (Jinson Varghese Behanan, @JinsonCyberSec):

[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E

Affects Plugins

sfwd-lms

Fixed in 3.1.2

References

CVE

CVE-2020-7108

URL

https://learndash.releasenotes.io/release/uCskc-version-312

URL

https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/

URL

https://www.jinsonvarghese.com/reflected-xss-in-learndash-wordpress-plugin/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Jinson Varghese Behanan (@JinsonCyberSec)

Submitter

Andrew Wilder

Submitter website

https://www.nerdpress.net

Submitter twitter

@nerdpress

Verified

WPVDB ID

2e14f830-11e0-458e-88db-92fdb4eebf86

Timeline

Publicly Published

2020-01-15 (about 6 years ago)

Added

2020-01-15 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-09-05

Title

Aparat Video Shortcode <= 0.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-25

Title

Church Admin < 4.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Published

2025-07-17

Title

Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-09-17

Title

Mobiloud < 2.3.8 - Multiple Cross-Site Scripting (XSS)

Published

2018-12-04

Title

All in One SEO Pack < 2.10 - Authenticated Stored Cross-Site Scripting (XSS)