WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Cluevo < 1.8.1 - Admin+ Stored Cross Site Scripting

Description

The plugin does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

On the Learning Management page (/wp-admin/admin.php?page=cluevo-lms), click Add Course, then put the following payload in the Insert Module field and click on the Save button: "><script>alert(/XSS/)</script>

Affects Plugins

cluevo-lms
Fixed in version 1.8.1

References

CVE
CVE-2021-25029

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Rutuja D Shirke

Submitter

Rutuja D Shirke

Submitter website
https://www.linkedin.com/in/rutujashirke2812/
Verified

Yes

WPVDB ID
723d0d07-c48b-4fe3-9fb2-7dae3c7d3cfb

Timeline

Publicly Published

2022-01-10 (about 1 years ago)

Added

2022-01-10 (about 1 years ago)

Last Updated

2022-04-16 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin