Vulnerabilities > Thimpress > Learnpress > 4.1.3
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-12-13 | CVE-2021-24951 | SQL Injection vulnerability in Thimpress Learnpress The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues | 7.5 |
2021-10-21 | CVE-2021-39348 | Cross-site Scripting vulnerability in Thimpress Learnpress The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. | 3.5 |
2021-10-18 | CVE-2021-24702 | Cross-site Scripting vulnerability in Thimpress Learnpress The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed | 2.1 |