Tutor LMS < 1.9.12 – Subscriber+ Stored Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not escape the 'Job Title" field of user's profile, which could allow any authenticated users to set a Cross-Site Scripting payload in it, which will be triggered when an admin edit the related profile

Proof of Concept

As a subscriber, edit your profile and add the following payload in the Job Title field (Tutor Fields section): " autofocus onfocus=alert('XSS')//

The XSS will be triggered when an admin edit the subscriber profile (as well when the user edit their own profile, but that’s self-XSS)

Affects Plugins

Fixed in 1.9.12

References

URL

https://plugins.trac.wordpress.org/changeset/2643821

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

creadpag

Submitter

creadpag

Submitter website

https://www.creadpag.com/

Submitter twitter

Verified

Yes

WPVDB ID

a9bca7a6-c409-41d4-995e-48fd0f8264a3

Timeline

Publicly Published

2021-12-27 (about 4 years ago)

Added

2021-12-27 (about 4 years ago)

Last Updated

2021-12-27 (about 4 years ago)

Other

Published

Title

Published

2024-10-14

Title

El mejor Cluster < 1.1.16 - Contributor+ Stored XSS

Published

2025-12-11

Title

Paypal Payment Shortcode <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute

Published

2022-02-21

Title

Team Circle Image Slider With Lightbox < 1.0.16 - Reflected Cross-Site Scripting

Published

2024-08-19

Title

Tutor LMS Elementor Addons < 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Course Carousel Widget

Published

2022-03-21

Title

Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting