Skip to content
Threat Feed
medium threat

WP Learn Manager Stored XSS Vulnerability (CVE-2021-47975)

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability (CVE-2021-47975) that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter via a POST request to the jslm_fieldordering page, resulting in arbitrary JavaScript execution when administrators view the field ordering interface.

WP Learn Manager version 1.1.2 is susceptible to a stored cross-site scripting (XSS) vulnerability, identified as CVE-2021-47975. This flaw allows unauthenticated attackers to inject malicious JavaScript code into the application. The vulnerability is triggered when an attacker sends a crafted POST request to the jslm_fieldordering page, embedding the XSS payload within the fieldtitle parameter. When an administrator accesses the field ordering interface, the injected script is executed within their browser session. This vulnerability could allow attackers to compromise administrator accounts, deface the website, or redirect users to malicious sites.

Attack Chain

  1. An unauthenticated attacker crafts a malicious POST request targeting the jslm_fieldordering page.
  2. The attacker includes a JavaScript payload within the fieldtitle parameter of the POST request, designed to execute arbitrary code in the administrator’s browser.
  3. The attacker sends the crafted POST request to the vulnerable jslm_fieldordering endpoint.
  4. The WP Learn Manager application stores the malicious payload in its database without proper sanitization or encoding.
  5. An administrator logs into the WP Learn Manager administrative interface.
  6. The administrator navigates to the field ordering interface, which retrieves the stored, malicious fieldtitle value from the database.
  7. The application renders the page, injecting the stored JavaScript payload into the administrator’s browser.
  8. The administrator’s browser executes the malicious JavaScript code, potentially leading to account compromise or further malicious actions.

Impact

Successful exploitation of this XSS vulnerability (CVE-2021-47975) allows unauthenticated attackers to inject arbitrary JavaScript code into the WP Learn Manager application. This can lead to the compromise of administrator accounts, allowing the attacker to gain full control over the website. Other impacts include website defacement, redirection of users to malicious sites, or theft of sensitive information. The CVSS v3.1 base score for this vulnerability is 7.2, indicating a high level of potential impact.

Recommendation

  • Deploy the Sigma rule Detect CVE-2021-47975 Exploitation — WP Learn Manager XSS via fieldtitle Parameter to detect exploitation attempts in web server logs.
  • Inspect web server logs for POST requests to the jslm_fieldordering endpoint containing suspicious characters or JavaScript code within the fieldtitle parameter, as highlighted by the cs-uri-query|contains field in the Sigma rule.
  • Upgrade WP Learn Manager to a patched version that addresses CVE-2021-47975.

Detection coverage 1

Detect CVE-2021-47975 Exploitation — WP Learn Manager XSS via fieldtitle Parameter

medium

Detects CVE-2021-47975 exploitation — HTTP POST to jslm_fieldordering with XSS payload in fieldtitle parameter

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →