Reflected Cross-Site Scripting Vulnerability in CLUEVO LMS E-Learning Platform Plugin for WordPress
CVE-2024-11328

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Cluevo Lms, E-learning Platform
Vendor: CVE Published:; 9 January 2025

What is CVE-2024-11328?

The CLUEVO LMS E-Learning Platform plugin for WordPress has a vulnerability that allows unauthenticated attackers to execute malicious scripts via reflected cross-site scripting. This occurs due to inadequate escaping in the URL manipulation functions add_query_arg and remove_query_arg. Attackers can exploit this weakness to inject arbitrary web scripts into pages, enabling them to trick users into clicking compromised links, leading to possible data exposure or other malicious activities.

Affected Version(s)

CLUEVO LMS, E-Learning Platform * <= 1.13.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/cluevo-lms/tag...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Nov 18, 2024

Credit

Dale Mavers