WordPress Plugin Vulnerabilities

Tutor LMS < 2.3.0 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
tutor
Fixed in 2.3.0

References

CVE
CVE-2023-49829
URL
https://patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-2-2-4-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
de7d8179-1316-4d23-98e7-c1a77b749c96

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-11 (about 2 years ago)
Last Updated
2023-12-11 (about 2 years ago)

Other

Published
Title
Published
2025-03-18
Title
RDP Linkedin Login <= 1.7.0 - Reflected Cross-Site Scripting
Published
2024-04-05
Title
Easy Login Styler – White Label Admin Login Page for WordPress <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-04-12
Title
WP Google Analytics Events < 2.8.1 - Reflected Cross-Site Scripting
Published
2024-09-12
Title
Spiffy Calendar < 4.9.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2018-03-05
Title
iThemes Security <= 6.9.0 - Cross-Site Scripting (XSS)