Threat Entry Updated 2025-01-09

CVE-2024-11328 - E Learning Platform Plugin

The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.13.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN E Learning Platform

CVE-2024-11328

MEDIUM CVSS 6.1 2025-01-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-12-06

CVE-2024-11444 - E Learning Platform Plugin

The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.13.2. This is due to missing or incorrect nonce validation on the cluevo_render_module_ui() function. This makes it possible for unauthenticated attackers to delete modules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN E Learning Platform

CVE-2024-11444

MEDIUM CVSS 4.3 2024-12-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-25029 - E Learning Platform Plugin

The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN E Learning Platform

CVE-2021-25029

MEDIUM CVSS 4.8 2022-02-07

Risk Score

Open Full Technical Breakdown