CVE-2021-24504 Information

Description

The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles allowing XSS payload to be used in them. Furthermore no CSRF and capability checks were in place allowing such attack to be performed either via CSRF or as any user (including unauthenticated)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1