CVE-2021-24455: The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of A
Summary
The Tutor LMS WordPress plugin before version 1.9.2 had a security flaw where the Summary field of Announcements was not properly escaped (cleaned of potentially harmful code before display). This allowed users with Tutor Instructor privileges to inject malicious scripts that would execute when other users viewed the Announcements list. If an admin viewed the list, the attacker could potentially gain admin-level access through a stored cross-site scripting attack (XSS, where harmful code is permanently saved and runs when the page loads).
Solution / Mitigation
Update the Tutor LMS plugin to version 1.9.2 or later.
Vulnerability Details
5.4(medium)
EPSS: 0.2%
Classification
Original source: https://nvd.nist.gov/vuln/detail/CVE-2021-24455
First tracked: February 15, 2026 at 08:37 PM
Classified by LLM (prompt v3) · confidence: 95%