CVE-2021-39348

Name of the Vulnerable Software and Affected Versions: LearnPress WordPress plugin versions up to and including 4.1.3.1

Description: The issue is related to Stored Cross-Site Scripting due to insufficient escaping on the custom profile parameter in the ~/inc/admin/views/backend-user-profile.php file. This allows attackers with administrative user access to inject arbitrary web scripts. The issue affects multi-site installations where unfiltered html is disabled for administrators and sites where unfiltered html is disabled.

Recommendations: For versions up to and including 4.1.3.1, update to a version that includes the necessary security fixes to address the insufficient escaping on the custom profile parameter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.