Mohammed Adam

**Name of the Vulnerable Software and Affected Versions** WP Learn Manager version 1.1.2 **Description** A stored cross-site scripting issue allows unauthenticated attackers to inject malicious scripts. This is achieved by submitting POST requests to the 'jslm fieldordering' page using the `fieldtitle` parameter. The injected JavaScript executes when administrators access the field ordering interface. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The WP LMS – Best WordPress LMS Plugin versions 1.1.2 and earlier **Description** The issue arises from the plugin's failure to properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Additionally, the lack of CSRF and capability checks enables such attacks to be performed either via CSRF or as any user, including unauthenticated ones. **Recommendations** For versions 1.1.2 and earlier, update to a version that properly sanitizes and validates User Field Titles and implements CSRF and capability checks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Google Maps versions prior to 8.1.12 **Description** The issue is related to an authenticated Stored Cross-Site Scripting problem. It occurs because the Map Name is not properly sanitised, validated, or escaped when it is output in the Map List of the admin dashboard. **Recommendations** For versions prior to 8.1.12, update to version 8.1.12 or later to resolve the issue.