CVE-2021-24455 — MEDIUM (5.4)

Q: How severe is CVE-2021-24455?

CVE-2021-24455 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-24455?

Check the references section above for vendor advisories and patch information. Affected products include: Themeum Tutor Lms.

Vulnerability Description

The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Themeum	Tutor Lms	< 1.9.2

Related Weaknesses (CWE)

CWE-79

References

https://wpscan.com/vulnerability/9ef14cf1-1e04-4125-a296-9aa5388612f9ExploitThird Party Advisory
https://wpscan.com/vulnerability/9ef14cf1-1e04-4125-a296-9aa5388612f9ExploitThird Party Advisory

FAQ

What is CVE-2021-24455?

CVE-2021-24455 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users...

How severe is CVE-2021-24455?

CVE-2021-24455 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24455?

Check the references section above for vendor advisories and patch information. Affected products include: Themeum Tutor Lms.