Lucene search

WordfenceCVELIST:CVE-2024-1128

HistoryFeb 20, 2024 - 6:56 p.m.

CVE-2024-1128

2024-02-2018:56:22

Wordfence

www.cve.org

tutor lms

wordpress

html injection

q&a functionality

authenticated attackers

student access

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

0.0004 Low

EPSS

Percentile

9.1%

JSON

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.6.0. This is due to insufficient sanitization of HTML input in the Q&A functionality. This makes it possible for authenticated attackers, with Student access and above, to inject arbitrary HTML onto a site, though it does not allow Cross-Site Scripting

CNA Affected

[
  {
    "vendor": "themeum",
    "product": "Tutor LMS – eLearning and online course solution",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.6.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset/3037911/tutor/tags/2.6.1/classes/Q_and_A.php?old=2827221&old_path=tutor/trunk/classes/Q_and_A.php

www.wordfence.com/threat-intel/vulnerabilities/id/22420c2d-788c-4577-ae54-7b48f6063f5d?source=cve

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-1128