The plugin does not sanitise and escape Course’s module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
On the Learning Management page (/wp-admin/admin.php?page=cluevo-lms), click Add Course, then put the following payload in the Insert Module field and click on the Save button: ">
CPE | Name | Operator | Version |
---|---|---|---|
cluevo-lms | lt | 1.8.1 |