CVE-2021-24308
- Source
- https://cve.org/CVERecord?id=CVE-2021-24308
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-24308.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-24308
- Published
- 2021-05-24T11:15:08.387Z
- Modified
- 2026-04-10T04:30:39.431696Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile.
- References
Affected packages
Git / github.com/gocodebox/lifterlms
Affected versions
1.*
1.0.0
1.1.1
1.2.4
1.2.5
1.2.6
1.3.0
1.3.10
1.3.2
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
3.*
3.0.0-beta.1
3.0.0-beta.2
3.0.0-beta.3
3.0.0-beta.4
3.0.0-beta.5
3.20.0-beta.1
@lifterlms/llms-e2e-test-utils@1.*
@lifterlms/llms-e2e-test-utils@1.1.1
@lifterlms/llms-e2e-test-utils@2.*
@lifterlms/llms-e2e-test-utils@2.0.0
@lifterlms/llms-e2e-test-utils@2.1.0
@lifterlms/llms-e2e-test-utils@2.1.2
@lifterlms/llms-e2e-test-utils@2.1.3
@lifterlms/llms-e2e-test-utils@2.2.2
@lifterlms/scripts@1.*
@lifterlms/scripts@1.2.0
@lifterlms/scripts@1.2.1
@lifterlms/scripts@1.2.3
@lifterlms/scripts@1.2.4
@lifterlms/scripts@1.3.0
@lifterlms/scripts@1.3.1
@lifterlms/scripts@1.3.2
@lifterlms/scripts@1.3.5
llms-e2e-test-utils@1.*
llms-e2e-test-utils@1.0.0
llms-e2e-test-utils@1.0.1
llms-e2e-test-utils@1.1.0
v1.*
v1.3.3