vulnerability

WordPress Plugin: lifterlms: CVE-2021-24308: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	May 10, 2021	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

May 10, 2021

Added

May 15, 2025

Modified

May 15, 2025

Description

The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership and Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile.

Solution

lifterlms-plugin-cve-2021-24308

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-24308
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/86b54c46-a637-4fc4-8d48-a02383c9814b?source=api-prod
CVE-2021-24308
https://attackerkb.com/topics/CVE-2021-24308

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today