CVE-2021-24504

MEDIUM

Wplearnmanager WP Learn Manager < 1.1.2 - CSRF

Title source: rule
STIX 2.1

Description

The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1

Scores

CVSS v3 6.1
EPSS 0.0076
EPSS Percentile 50.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
wplearnmanager/wp_learn_manager < 1.1.2
Published Aug 02, 2021
Tracked Since Feb 18, 2026