Lucene search

WpvulndbWPVDB-ID:D4A2E407-EA3B-4A1B-8AF2-4EA32A6A4973

HistoryJun 13, 2024 - 12:00 a.m.

Sensei Pro (WC Paid Courses) < 4.24.0.1.24.0 - Authenticated (Student+) Stored Cross-Site Scripting

2024-06-1300:00:00

wpscan.com

sensei pro

wordpress

cross-site scripting

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

AI Score

5.8

Confidence

High

JSON

Description The Sensei Pro (WC Paid Courses) plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.23.1.1.23.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

References

www.wordfence.com/threat-intel/vulnerabilities/id/83a81b1c-40cf-43ea-a36d-eaf342e65fc2