Vulnerabilities and security researches forlearn-manager learn-manager
Direction: ascendingJun 10, 2024
WP Learn Manager # CVE-2021-24504
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 02, 2021
- Research Description
- The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
- Affected versions
-
max 1.1.6.
- Status
-
vulnerable
May 19, 2026
WP Learn Manager # CVE-2021-47975
- CVE, Research URL
- Home page URL
- Application
- Date
- May 16, 2026
- Research Description
- WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the `fieldtitle` parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface.
- Affected versions
-
max 1.1.2.
- Status
-
vulnerable
Jun 16, 2026
WP Learn Manager # 302340e1e3fd02be98349935707453d81fa6c378
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 02, 2021
- Research Description
- WP Learn Manager [learn-manager] < 1.1.5 WP LMS – Best WordPress LMS Plugin <= 1.1.4 - Cross-Site Request Forgery The WP LMS – Best WordPress LMS Plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to create and edit user-related data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 1.1.5.
- Status
-
vulnerable
WP Learn Manager # 81bc199228aa227201cf9b5fd736a96e5576fb25
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 02, 2021
- Research Description
- WP Learn Manager [learn-manager] < 1.1.5 WordPress WP Learn Manager plugin <= 1.1.4 - Unauthenticated Arbitrary User Field Edition/Creation vulnerability Unauthenticated Arbitrary User Field Edition/Creation vulnerability discovered in WordPress WP Learn Manager plugin (versions <= 1.1.4).
- Affected versions
-
max 1.1.5.
- Status
-
vulnerable
WP Learn Manager # 56031d26-4b15-47d7-9fa3-135299d591da
- CVE, Research URL
- Home page URL
- Application
- Date
- -
- Research Description
- WP Learn Manager [learn-manager] < 1.1.5 (closed) WP LMS < 1.1.5 - Unauthenticated Arbitrary User Field Edition/Creation The plugin is lacking any CSRF and capability checks when creating and editing User Fields, allowing unauthorised edition and creation of them either via CSRF or as any user (including unauthenticated) v1.1.5 added CSRF but still no capability check
- Affected versions
-
max 1.1.5.
- Status
-
vulnerable
Jul 10, 2026
WP Learn Manager # CVE-2026-12153
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 08, 2026
- Research Description
- The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.
- Affected versions
-
max 1.1.8.
- Status
-
vulnerable