CVE-2022-0271

Name of the Vulnerable Software and Affected Versions LearnPress WordPress plugin versions prior to 4.1.6

Description The issue arises from the LearnPress WordPress plugin's failure to sanitise and escape the lp-dismiss-notice before outputting it via the lp background single email AJAX action, leading to a Reflected Cross-Site Scripting attack. This vulnerability can be exploited by a remote attacker to conduct an inter-site scripting attack.

Recommendations For versions prior to 4.1.6, update to version 4.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the lp background single email AJAX action until a patch is applied. Avoid using the lp-dismiss-notice parameter in the affected AJAX endpoint until the issue is resolved.