CVE-2024-3560 is a stored cross-site scripting (XSS) vulnerability identified in the LearnPress plugin for WordPress, a popular Learning Management System (LMS) plugin developed by thimpress. The vulnerability arises from improper neutralization of user-supplied input during web page generation, specifically involving the _id parameter. This parameter is insufficiently sanitized and escaped, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages managed by the plugin. When other users access these compromised pages, the injected scripts execute in their browsers within the context of the vulnerable site. The vulnerability affects all versions up to and including 4.2.6.4. The CVSS v3.1 base score of 6.4 reflects that the attack vector is network-based, requires low attack complexity, and privileges at the level of a contributor, but no user interaction is needed for exploitation. The impact includes potential confidentiality and integrity breaches, such as session hijacking, unauthorized actions, or defacement. No known public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress LMS plugin makes it a significant risk. The vulnerability was published on April 19, 2024, and no official patches or mitigations have been linked at this time.

The impact of CVE-2024-3560 is significant for organizations using the LearnPress plugin on WordPress sites, particularly educational institutions, training providers, and enterprises relying on LMS platforms. Exploitation allows attackers with contributor-level access to inject malicious scripts that execute in the browsers of other users, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or spreading malware. This can undermine the integrity and confidentiality of user data and disrupt LMS operations. Since contributor-level access is often granted to content creators or instructors, the attack surface is broader than vulnerabilities requiring administrator privileges. The scope includes all websites running vulnerable versions of LearnPress, which is widely used globally due to WordPress's market dominance. The vulnerability does not directly affect availability but can cause reputational damage and loss of trust if exploited. Organizations without strict access controls or monitoring are at higher risk. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits rapidly once details are public.

1. Immediately restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. 2. Implement strict input validation and output encoding on all user-supplied data, especially the _id parameter, to prevent injection of executable scripts. 3. Monitor web application logs and user activity for unusual behavior indicative of XSS exploitation attempts. 4. Employ a Web Application Firewall (WAF) with rules targeting common XSS patterns to block malicious payloads at the network edge. 5. Encourage users to update the LearnPress plugin to the latest version once an official patch addressing CVE-2024-3560 is released by the vendor. 6. Educate content creators and contributors about the risks of injecting untrusted content and enforce secure content management policies. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 8. Regularly audit plugin usage and permissions to ensure minimal privilege principles are enforced. These steps go beyond generic advice by focusing on access control tightening, proactive monitoring, and layered defenses until a patch is available.