CVE-2024-13599 is a stored cross-site scripting vulnerability identified in the LearnPress – WordPress LMS Plugin, a widely used learning management system plugin for WordPress. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of the lesson name field. Authenticated attackers with LP Instructor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into lesson names. Because the injected scripts are stored persistently, they execute in the context of any user who views the affected lesson page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 4.2.7.5. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the instructor level, no user interaction needed, and a scope change due to impact on other users. The impact primarily affects confidentiality and integrity, with no direct availability impact. No patches or public exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw highlights the importance of proper input validation and output encoding in web applications, especially in multi-user environments like LMS platforms.

The vulnerability allows attackers with relatively low privileges (instructor-level) to execute persistent cross-site scripting attacks, which can compromise the confidentiality and integrity of user data. Attackers can hijack user sessions, steal authentication tokens, manipulate page content, or perform actions on behalf of other users, potentially leading to unauthorized access or privilege escalation within the LMS environment. This can undermine trust in the e-learning platform, expose sensitive educational data, and disrupt organizational operations. Since the vulnerability affects all users who view the injected content, the scope of impact can be broad within affected organizations. Although no availability impact is noted, the reputational damage and potential data breaches can have significant consequences. Organizations relying on LearnPress for critical training or educational services may face compliance and regulatory risks if exploited.

Organizations should immediately upgrade the LearnPress plugin to a fixed version once released by the vendor. In the absence of an official patch, administrators should restrict instructor-level privileges to trusted users only and audit existing lesson names for suspicious content. Implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting lesson name parameters can provide interim protection. Additionally, applying content security policies (CSP) to limit script execution sources can reduce exploitation impact. Regularly monitoring logs for unusual activity and educating instructors about secure content practices are also recommended. Developers should review and enhance input validation and output encoding routines in the plugin codebase to prevent similar issues. Finally, consider isolating LMS environments and enforcing strict access controls to minimize attack surface.