Tutor LMS < 2.7.3 – Authenticated (Tutor Instructor+) Stored Cross-Site Scripting | CVE 2024-37947 | Plugin Vulnerabilities

Description

The Tutor LMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with tutor instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/68394503-d989-40d8-b033-24c011294158

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

akas wisnu aji

Verified

No

WPVDB ID

ec34a631-9b65-4ffb-97e1-a6f74ff1fa1c

Timeline

Publicly Published

2024-07-10 (about 1 year ago)

Added

2024-07-18 (about 1 year ago)

Last Updated

2024-07-18 (about 1 year ago)

Other

Published

Title

Published

2022-09-23

Title

FontMeister <= 1.08 - Reflected Cross-Site Scripting

Published

2024-09-12

Title

PDF Thumbnail Generator < 1.4 - Reflected Cross-Site Scripting

Published

2025-11-03

Title

TablePress < 3.2.5 - Contributor+ Stored XSS

Published

2025-07-08

Title

Simple Featured Image <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via slideshow Parameter

Published

2021-08-18

Title

Jock on air now < 5.6.3 - Authenticated Stored Cross-Site Scripting