AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-1463: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Course,

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 9, 2024CVE-2024-1463

Summary

The LearnPress WordPress LMS Plugin (learning management system plugin for WordPress) is vulnerable to stored cross-site scripting (XSS, where an attacker can inject harmful code into a webpage) in versions up to 4.2.6.3. Attackers with instructor-level access can inject malicious scripts into course, lesson, and quiz titles and content due to insufficient input sanitization (cleaning user input) and output escaping (converting special characters so they display as text rather than code), and these scripts will run whenever users visit the affected pages.

Solution / Mitigation

The source indicates a fix exists in version 4.2.6.4, as referenced in the WordPress plugin changeset URL (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042945%40learnpress%2Ftags%2F4.2.6.3&new=3061851%40learnpress%2Ftags%2F4.2.6.4), which compares the vulnerable 4.2.6.3 version to the patched 4.2.6.4 version. Users should update to version 4.2.6.4 or later.

Vulnerability Details

CVSS Score

4.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-79

CAPEC (Attack Pattern)

CAPEC-198 CAPEC-86

Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-1463

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%