CVE-2024-3994 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Tutor LMS plugin for WordPress, a widely used eLearning and online course solution. The flaw exists in the 'tutor_instructor_list' shortcode, which fails to properly sanitize and escape user-supplied attributes. This improper neutralization of input (CWE-79) allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 2.6.2. Exploitation does not require user interaction beyond visiting the compromised page, and no known public exploits have been reported yet. The CVSS 3.1 base score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required at the contributor level. The scope is unchanged, meaning the impact is limited to the affected component. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those handling user-generated content in educational platforms.

The primary impact of CVE-2024-3994 is the potential compromise of user confidentiality and integrity on websites running the vulnerable Tutor LMS plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of other users, including administrators and students, leading to session hijacking, theft of sensitive information such as authentication tokens, and unauthorized actions performed with victim privileges. Although availability is not directly affected, the breach of trust and data integrity can disrupt eLearning operations and damage organizational reputation. Since Tutor LMS is used globally in educational institutions and training providers, exploitation could lead to widespread data leakage and unauthorized access to course materials or user accounts. The medium severity score indicates moderate risk, but the ease of exploitation by authenticated users and the potential for persistent malicious code injection make it a significant concern for organizations relying on this plugin for online education.

1. Immediately restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious shortcode injection. 2. Monitor and audit usage of the 'tutor_instructor_list' shortcode for unusual or suspicious attribute values that may indicate exploitation attempts. 3. Implement web application firewall (WAF) rules to detect and block typical XSS payloads targeting this shortcode. 4. Until an official patch is released, consider disabling or removing the vulnerable shortcode from site content. 5. Educate site administrators and content creators about the risks of XSS and the importance of input validation. 6. Regularly update the Tutor LMS plugin once a security patch addressing this vulnerability becomes available. 7. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources. 8. Use security plugins that provide enhanced input sanitization and output escaping for WordPress shortcodes. These targeted steps go beyond generic advice by focusing on privilege management, monitoring, and temporary disabling of vulnerable features.