AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-13599: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions

mediumvulnerability

security

Source: NVD/CVE DatabaseJanuary 25, 2025CVE-2024-13599

Summary

The LearnPress WordPress LMS Plugin has a stored cross-site scripting vulnerability (XSS, a flaw where attackers inject malicious code that runs when others view a page) in all versions up to 4.2.7.5, caused by the plugin not properly filtering lesson names. Attackers with instructor-level access or higher can inject harmful scripts that execute whenever users visit affected pages.

Solution / Mitigation

A patch is available at https://plugins.trac.wordpress.org/changeset/3226650/ according to Wordfence. Users should update the LearnPress plugin to a version newer than 4.2.7.5.

Vulnerability Details

CVSS Score

6.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.3%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-79

CAPEC (Attack Pattern)

CAPEC-198 CAPEC-86

Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-13599

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%