Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by wplearnmanager
CVE-2021-47975 (GCVE-0-2021-47975)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:26 – Updated: 2026-05-26 11:51
VLAI
Title
WordPress Plugin WP Learn Manager 1.1.2 Stored XSS
Summary
WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the `fieldtitle` parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/50086 | exploit |
| https://wplearnmanager.com/ | product |
| https://wordpress.org/plugins/learn-manager/ | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wplearnmanager | WP Learn Manager |
Affected:
1.1.2
|
Date Public
2021-07-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47975",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T19:55:49.468919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T19:56:03.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP Learn Manager",
"vendor": "Wplearnmanager",
"versions": [
{
"status": "affected",
"version": "1.1.2"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.2:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.5:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.4:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.3:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.1:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.1.0:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.9:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.8:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.7:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.6:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.5:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.4:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.3:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.2:*:*:*:*:wordpress:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wplearnmanager:wp_learn_manager:1.0.0:*:*:*:*:wordpress:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammed Adam"
}
],
"datePublic": "2021-07-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the `fieldtitle` parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T11:51:44.939Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50086",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50086"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://wplearnmanager.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://wordpress.org/plugins/learn-manager/"
},
{
"name": "VulnCheck Advisory: WordPress Plugin WP Learn Manager 1.1.2 Stored XSS",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-wp-learn-manager-stored-xss"
}
],
"title": "WordPress Plugin WP Learn Manager 1.1.2 Stored XSS",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47975",
"datePublished": "2026-05-16T15:26:15.528Z",
"dateReserved": "2026-05-16T14:36:27.726Z",
"dateUpdated": "2026-05-26T11:51:44.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24504 (GCVE-0-2021-24504)
Vulnerability from cvelistv5 – Published: 2021-08-02 10:32 – Updated: 2024-08-03 19:35
VLAI
Title
WP LMS <= 1.1.2 - Stored Cross-Site Scripting (XSS)
Summary
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e0182508-23f4-4b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP LMS – Best WordPress LMS Plugin |
Affected:
1.1.2 , ≤ 1.1.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP LMS \u2013 Best WordPress LMS Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "1.1.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mohammed Adam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP LMS \u2013 Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-02T10:32:30.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP LMS \u003c= 1.1.2 - Stored Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24504",
"STATE": "PUBLIC",
"TITLE": "WP LMS \u003c= 1.1.2 - Stored Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP LMS \u2013 Best WordPress LMS Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.1.2",
"version_value": "1.1.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Mohammed Adam"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP LMS \u2013 Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24504",
"datePublished": "2021-08-02T10:32:30.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}