Cluevo < 1.8.1 – Admin+ Stored Cross Site Scripting | CVE 2021-25029 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

On the Learning Management page (/wp-admin/admin.php?page=cluevo-lms), click Add Course, then put the following payload in the Insert Module field and click on the Save button: "><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 1.8.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rutuja D Shirke

Submitter

Rutuja D Shirke

Submitter website

https://www.linkedin.com/in/rutujashirke2812/

Verified

Yes

WPVDB ID

723d0d07-c48b-4fe3-9fb2-7dae3c7d3cfb

Timeline

Publicly Published

2022-01-10 (about 3 years ago)

Added

2022-01-10 (about 3 years ago)

Last Updated

2022-04-16 (about 3 years ago)

Other

Published

Title

Published

2025-01-16

Title

CBX Accounting & Bookkeeping <= 1.3.14 - Reflected Cross-Site Scripting

Published

2025-09-05

Title

Admin Menu Editor < 1.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder Parameter

Published

2014-08-01

Title

Zingiri Form Builder - "error" Cross-Site Scripting

Published

2014-08-01

Title

WordPress 3.6 - _wp_http_referer Parameter Cross-Site Scripting (XSS)

Published

2025-04-01

Title

Design Blocks <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting