WP Learn Manager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP Learn Manager WordPress plugin, specifically in version 1.1.2. This vulnerability allows unauthenticated attackers to inject malicious scripts into the fieldtitle parameter. Exploitation involves sending POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field. The injected scripts are executed as arbitrary JavaScript when administrators access the field ordering interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected field.

Reproduction

To reproduce this vulnerability, send a POST request to '/wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield' with an XSS payload in the 'fieldtitle' parameter. After injecting the script, visit '/wp-admin/admin.php?page=jslm_fieldordering&ff=3' as an admin to trigger the XSS. The injected script may also execute in other contexts within the admin panel.