CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25017 – Tutor LMS < 1.9.12 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25017
The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Tutor LMS de WordPress versiones anteriores a 1.9.12, no escapa el parámetro search antes de devolverlo en un atributo en una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2643821 https://wpscan.com/vulnerability/2d0c4872-a341-4974-926c-10b094a5d13c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25013 – Qubely < 1.7.8 - Subscriber+ Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2021-25013
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts El plugin Qubely de WordPress versiones anteriores a 1.7.8, no presenta autorización y comprobación CSRF en la acción AJAX qubely_delete_saved_block, y no asegura que el bloque que va a ser eliminado pertenezca al plugin, como resultado, cualquier usuario autenticado, como el suscriptor, puede eliminar entradas arbitrarias • https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24873 – Tutor LMS < 1.9.11 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24873
The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue El plugin Tutor LMS de WordPress versiones anteriores a 1.9.11, no sanea ni escapa de la entrada del usuario antes de devolverla en atributos en la página de registro de estudiantes, conllevando un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2615802/tutor https://wpscan.com/vulnerability/19980b57-1954-4a29-b2c2-43eadf758ed3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24740 – Tutor LMS < 1.9.9 - Multiple Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24740
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Tutor LMS de WordPress versiones anteriores a 1.9.9, no escapa a algunas de sus configuraciones antes de mostrarlas en atributos, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/e6cf694d-c4ae-4b91-97c0-a6bdbafc7d60 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24455 – Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24455
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin. El plugin de WordPress Tutor LMS - eLearning and online course solution versiones anteriores a 1.9.2, no escapaba el campo Summary of Announcements (cuando lo mostraba en un atributo), que puede ser creado por usuarios tan bajos como Tutor Instructor. Esto conllevaba a un problema de tipo Cross-Site Scripting Almacenado, que se desencadena cuando se visualiza la lista de Anuncios, y podía resultar en una escalada de privilegios cuando era visualizada por un administrador • https://wpscan.com/vulnerability/9ef14cf1-1e04-4125-a296-9aa5388612f9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •