cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forlearn-manager learn-manager

Direction: ascending
Jun 10, 2024

WP Learn Manager # CVE-2021-24504

CVE, Research URL

CVE-2021-24504

Application

WP Learn Manager

Date
Aug 02, 2021
Research Description
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
Affected versions
max 1.1.6.
Status
vulnerable
May 19, 2026

WP Learn Manager # CVE-2021-47975

CVE, Research URL

CVE-2021-47975

Application

WP Learn Manager

Date
May 16, 2026
Research Description
WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the `fieldtitle` parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface.
Affected versions
max 1.1.2.
Status
vulnerable
Jun 16, 2026

WP Learn Manager # 302340e1e3fd02be98349935707453d81fa6c378

Application

WP Learn Manager

Date
Aug 02, 2021
Research Description
WP Learn Manager [learn-manager] < 1.1.5 WP LMS – Best WordPress LMS Plugin <= 1.1.4 - Cross-Site Request Forgery The WP LMS – Best WordPress LMS Plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to create and edit user-related data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.1.5.
Status
vulnerable

WP Learn Manager # 81bc199228aa227201cf9b5fd736a96e5576fb25

Application

WP Learn Manager

Date
Aug 02, 2021
Research Description
WP Learn Manager [learn-manager] < 1.1.5 WordPress WP Learn Manager plugin <= 1.1.4 - Unauthenticated Arbitrary User Field Edition/Creation vulnerability Unauthenticated Arbitrary User Field Edition/Creation vulnerability discovered in WordPress WP Learn Manager plugin (versions <= 1.1.4).
Affected versions
max 1.1.5.
Status
vulnerable

WP Learn Manager # 56031d26-4b15-47d7-9fa3-135299d591da

Application

WP Learn Manager

Date
-
Research Description
WP Learn Manager [learn-manager] < 1.1.5 (closed) WP LMS &lt; 1.1.5 - Unauthenticated Arbitrary User Field Edition/Creation The plugin is lacking any CSRF and capability checks when creating and editing User Fields, allowing unauthorised edition and creation of them either via CSRF or as any user (including unauthenticated) v1.1.5 added CSRF but still no capability check
Affected versions
max 1.1.5.
Status
vulnerable
Jul 10, 2026

WP Learn Manager # CVE-2026-12153

CVE, Research URL

CVE-2026-12153

Application

WP Learn Manager

Date
Jul 08, 2026
Research Description
The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository on the vulnerable site.
Affected versions
max 1.1.8.
Status
vulnerable