WordPress Plugin Vulnerabilities

Tutor LMS < 2.6.1 - Student+ HTML Injection via Q&A

Description

The plugin is vulnerable to HTML Injection due to insufficient sanitization of HTML input in the Q&A functionality, allowing authenticated attackers, with Student access and above, to inject arbitrary HTML onto a site, though it does not allow Cross-Site Scripting

Affects Plugins

Plugin icon
tutor
Fixed in 2.6.1

References

CVE
CVE-2024-1128
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/22420c2d-788c-4577-ae54-7b48f6063f5d

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
drop
Verified
No
WPVDB ID
7f33fe29-1b90-4e68-a3a0-c2bf276f40c6

Timeline

Publicly Published
2024-02-20 (about 2 years ago)
Added
2024-02-21 (about 2 years ago)
Last Updated
2024-02-21 (about 2 years ago)

Other

Published
Title
Published
2026-02-17
Title
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 6.0.7.0 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment
Published
2024-04-22
Title
Pricing Table by Supsystic < 1.9.13 - Admin+ Content Injection
Published
2024-06-28
Title
Photo Gallery by Ays < 5.7.1 - Administrator+ HTML Injection
Published
2023-11-07
Title
ARI Stream Quiz < 1.3.3 - Contributor+ Content Injection
Published
2024-06-06
Title
YITH WooCommerce Product Add-Ons < 4.9.3 - Unauthenticated Content Injection