CVE-2026-31914

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through = 3.2.26...

CVE-2026-31914 WordPress WP Courses LMS plugin <= 3.2.26 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through = 3.2.26...

CVE-2021-24621

The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues...

CVE-2020-26876

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step for course videos and materials by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because showinrest is enabled for custom post types e.g.,...

CVE-2024-12172 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpcupdateusermetaoption function in all versions up to, and including, 3.2.21. This makes it...

CVE-2024-12172 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpcupdateusermetaoption function in all versions up to, and including, 3.2.21. This makes it...

WP Courses LMS < 3.2.4 - Subscriber+ Arbitrary Options Update

Description The plugin is vulnerable to unauthorized modification of data due to missing capability check on the wpcsavefeoption function hooked via AJAX in all versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

CVE-2021-24621

The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues...

CVE-2021-24621

The CVE-2021-24621 entry concerns the WP Courses LMS WordPress plugin (versions before 2.0.44). The vulnerability is due to inadequate sanitisation of the Video Embed Code, allowing an authenticated high-privilege user to inject malicious code, leading to Stored Cross-Site Scripting. Affected com...

CVE-2021-24621 WP Courses LMS < 2.0.44 - Authenticated Stored XSS via Video Embed Code

The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfilteredhtml capability is disallowed, which could lead to Stored Cross-Site Scripting issues...

WordPress 插件跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on servers running PHP and MySQL. A security vulnerability exists in the WordPress plugin WP Courses LMS, which stems from the WP Courses LMS...

WordPress WP Courses LMS plugin <= 2.0.43 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Tri Wanda Septian in WordPress WP Courses LMS plugin versions = 2.0.43. Solution Update the WordPress WP Courses LMS plugin to the latest available version at least 2.0.44...

Design/Logic Flaw

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step for course videos and materials by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because showinrest is enabled for custom post types e.g.,...

CVE-2020-26876

CVE-2020-26876 – WordPress WP Courses Plugin up to version 2.0.27/2.0.29 suffers an information-disclosure via the REST API. The issue stems from show_in_rest being enabled for custom post types, allowing access to private course videos and materials through endpoints like /wp-json/wp/v2/course o...

CVE-2020-26876

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step for course videos and materials by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because showinrest is enabled for custom post types e.g.,...

VulnCheck KEV: CVE-2020-26876

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step for course videos and materials by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because showinrest is enabled for custom post types e.g.,...