CVE-2021-24308

Name of the Vulnerable Software and Affected Versions LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress versions prior to 4.21.1

Description The issue arises from the improper sanitization of the State field in the Edit profile page, which can lead to a stored Cross-Site Scripting issue when output in the About section of the profile page. This could allow low-privilege users, such as students, to elevate their privileges via an XSS attack when an admin views their profile.

Recommendations For versions prior to 4.21.1, update to version 4.21.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Edit profile page and the About section of the profile page to minimize the risk of exploitation.