CVE-2021-24504

Name of the Vulnerable Software and Affected Versions The WP LMS – Best WordPress LMS Plugin versions 1.1.2 and earlier

Description The issue arises from the plugin's failure to properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Additionally, the lack of CSRF and capability checks enables such attacks to be performed either via CSRF or as any user, including unauthenticated ones.

Recommendations For versions 1.1.2 and earlier, update to a version that properly sanitizes and validates User Field Titles and implements CSRF and capability checks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.