CVE-2024-1128

Name of the Vulnerable Software and Affected Versions The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.6.0

Description The issue is due to insufficient sanitization of HTML input in the Q&A functionality, making it possible for authenticated attackers with Student access and above to inject arbitrary HTML onto a site. This does not allow Cross-Site Scripting.

Recommendations For versions up to, and including, 2.6.0, update to a version later than 2.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the Q&A functionality to minimize the risk of exploitation.