CVE-2023-4805 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the Tutor LMS WordPress plugin versions prior to 2.3.0. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows users with relatively low privileges, such as subscribers, to inject malicious JavaScript code into the plugin's stored settings. Notably, this exploitation is possible even when the WordPress capability 'unfiltered_html' is disabled, which is often the case in multisite WordPress installations. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score of 5.4 reflects a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (low), and user interaction (required). The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss, with no impact on availability. Although no known exploits are reported in the wild, the vulnerability could allow an attacker to execute arbitrary JavaScript in the context of other users, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the LMS environment. Since Tutor LMS is a widely used WordPress plugin for managing online courses, exploitation could affect educational institutions, corporate training platforms, and other organizations relying on this plugin for e-learning services.

For European organizations, the impact of CVE-2023-4805 can be significant, especially for entities relying on Tutor LMS for educational or training purposes. Successful exploitation could lead to unauthorized access to user sessions, theft of sensitive information such as personal data or credentials, and manipulation of course content or user progress data. This undermines the integrity and confidentiality of the LMS platform and could damage organizational reputation and compliance with data protection regulations like GDPR. Additionally, attackers could leverage the XSS vulnerability to deliver further attacks such as phishing or malware distribution within the LMS user base. The risk is heightened in multisite WordPress deployments common in universities and large enterprises, where the vulnerability bypasses typical restrictions on HTML content. Although availability is not directly impacted, the indirect consequences of data breaches or loss of trust could disrupt educational services and require costly incident response and remediation efforts.

To mitigate this vulnerability, organizations should immediately update the Tutor LMS plugin to version 2.3.0 or later, where the issue is resolved through proper input sanitization and escaping. If immediate patching is not feasible, administrators should restrict the ability to modify plugin settings to trusted users only, minimizing the risk of malicious input. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting Tutor LMS settings can provide additional protection. Regularly auditing user roles and permissions within WordPress multisite environments is critical to ensure that low-privilege users cannot escalate their capabilities or inject harmful content. Monitoring logs for unusual activity related to plugin settings changes or unexpected script execution can help detect exploitation attempts early. Finally, educating users about the risks of XSS and encouraging cautious behavior when interacting with LMS content can reduce the likelihood of successful social engineering attacks leveraging this vulnerability.