CVE-2026-24584 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the Themeum Tutor LMS BunnyNet Integration plugin, specifically versions up to 1.0.0. This vulnerability stems from improper neutralization of input during web page generation, which allows malicious actors to inject and execute arbitrary JavaScript code within the context of a victim’s browser. The attack vector is remote (network accessible), with low attack complexity, but requires the attacker to have high privileges (PR:H) and user interaction (UI:R), such as tricking a privileged user into clicking a crafted link or interacting with malicious content. The vulnerability impacts confidentiality, integrity, and availability at a limited level, as indicated by the CVSS vector (C:L/I:L/A:L). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component, potentially impacting the entire web application session. No known exploits have been reported in the wild, and no patches have been released at the time of publication. The vulnerability affects web applications that integrate the Tutor LMS plugin with BunnyNet services, commonly used in educational platforms for content delivery acceleration and management. The improper input handling likely involves unsafe DOM manipulation or failure to sanitize user-controllable parameters, which can be exploited to execute scripts that steal session tokens, perform actions on behalf of the user, or deface content. Given the nature of LMS platforms, exploitation could lead to unauthorized access to educational content, user data leakage, or disruption of learning services.

For European organizations, especially educational institutions and e-learning providers using the Tutor LMS with BunnyNet Integration, this vulnerability poses a risk of session hijacking, unauthorized actions, and data leakage. The impact is heightened in environments where privileged users (e.g., administrators or instructors) interact with the vulnerable plugin, as attackers require such privileges to exploit the flaw. Confidentiality could be compromised through theft of session cookies or sensitive user data, integrity could be affected by unauthorized content modifications, and availability might be disrupted by injected scripts causing service interruptions. Although no widespread exploitation is reported, the presence of this vulnerability in widely used LMS platforms could lead to targeted attacks against European educational entities, potentially impacting student data privacy and institutional reputation. The medium severity rating reflects the balance between the required privileges and user interaction against the potential damage. Organizations relying heavily on online education platforms should consider this a significant risk, especially given the increasing reliance on remote learning.

1. Monitor Themeum’s official channels for security updates and apply patches for the Tutor LMS BunnyNet Integration plugin promptly once released. 2. Until patches are available, consider disabling or removing the BunnyNet Integration plugin if feasible, especially in environments with high privilege users. 3. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct thorough input validation and sanitization on all user-controllable inputs within the LMS environment, particularly those interacting with the BunnyNet plugin. 5. Educate privileged users about the risks of clicking on untrusted links or interacting with suspicious content to mitigate the user interaction requirement. 6. Employ Web Application Firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the LMS platform. 7. Regularly audit and monitor LMS logs for unusual activities that may indicate exploitation attempts. 8. Limit plugin permissions and access rights to the minimum necessary to reduce the attack surface. 9. Consider isolating LMS environments or using sandboxing techniques to contain potential compromises. 10. Review and update incident response plans to include scenarios involving LMS platform compromises.