Vulnerabilities and security researches forwp-courses wp-courses

Jun 06, 2024

CVE, Research URL: CVE-2021-24621
Home page URL: Security reports for WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Application: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Date: Sep 13, 2021
Research Description: The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues
Affected versions: max 2.0.44.
Status: vulnerable

CVE, Research URL: CVE-2020-26876
Home page URL: Security reports for WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Application: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Date: Oct 07, 2020
Research Description: The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist).
Affected versions: max 3.2.4.
Status: vulnerable

Dec 13, 2024

CVE, Research URL: CVE-2024-12172
Home page URL: Security reports for WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Application: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Date: Dec 12, 2024
Research Description: The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.
Affected versions: max 3.2.22.
Status: vulnerable

Mar 30, 2026

CVE, Research URL: CVE-2026-31914
Home page URL: Security reports for WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Application: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses
Date: Mar 25, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.
Affected versions: max 3.2.26.
Status: vulnerable