Reflected Cross-Site Scripting Vulnerability in CLUEVO LMS E-Learning Platform Plugin for WordPress
CVE-2024-11328

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
Cluevo Lms, E-learning Platform
Vendor
CVE Published:
9 January 2025

Summary

The CLUEVO LMS E-Learning Platform plugin for WordPress has a vulnerability that allows unauthenticated attackers to execute malicious scripts via reflected cross-site scripting. This occurs due to inadequate escaping in the URL manipulation functions add_query_arg and remove_query_arg. Attackers can exploit this weakness to inject arbitrary web scripts into pages, enabling them to trick users into clicking compromised links, leading to possible data exposure or other malicious activities.

Affected Version(s)

CLUEVO LMS, E-Learning Platform * <= 1.13.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/cluevo-lms/tag...
https://plugins.trac.wordpress.org/browser/cluevo-lms/tag...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dale Mavers
.