WordPress Plugin Vulnerabilities

Tutor LMS < 1.9.6 - Reflected Cross-Site Scripting

Description

The plugin does not escape a page parameter before outputting it back in an student dashboard page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
tutor
Fixed in 1.9.6

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
7978b7dd-54ca-4a13-9bc3-3cf96ad93339

Timeline

Publicly Published
2021-08-09 (about 4 years ago)
Added
2021-08-09 (about 4 years ago)
Last Updated
2021-08-09 (about 4 years ago)

Other

Published
Title
Published
2026-02-03
Title
Menu Icons by ThemeIsle < 0.13.21 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2022-03-02
Title
Coupon Affiliates < 4.16.4.5 - Unauthenticated Stored XSS
Published
2024-10-24
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-06-27
Title
Silesia <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Shortcode
Published
2025-09-22
Title
xili-tidy-tags <= 1.12.06 - Authenticated (Contributor+) Stored Cross-Site Scripting