Attack Chain

1. An unauthenticated attacker crafts a malicious POST request targeting the jslm_fieldordering page.
2. The attacker includes a JavaScript payload within the fieldtitle parameter of the POST request, designed to execute arbitrary code in the administrator’s browser.
3. The attacker sends the crafted POST request to the vulnerable jslm_fieldordering endpoint.
4. The WP Learn Manager application stores the malicious payload in its database without proper sanitization or encoding.
5. An administrator logs into the WP Learn Manager administrative interface.
6. The administrator navigates to the field ordering interface, which retrieves the stored, malicious fieldtitle value from the database.
7. The application renders the page, injecting the stored JavaScript payload into the administrator’s browser.
8. The administrator’s browser executes the malicious JavaScript code, potentially leading to account compromise or further malicious actions.

Impact

Successful exploitation of this XSS vulnerability (CVE-2021-47975) allows unauthenticated attackers to inject arbitrary JavaScript code into the WP Learn Manager application. This can lead to the compromise of administrator accounts, allowing the attacker to gain full control over the website. Other impacts include website defacement, redirection of users to malicious sites, or theft of sensitive information. The CVSS v3.1 base score for this vulnerability is 7.2, indicating a high level of potential impact.

Recommendation

• Deploy the Sigma rule Detect CVE-2021-47975 Exploitation — WP Learn Manager XSS via fieldtitle Parameter to detect exploitation attempts in web server logs.
• Inspect web server logs for POST requests to the jslm_fieldordering endpoint containing suspicious characters or JavaScript code within the fieldtitle parameter, as highlighted by the cs-uri-query|contains field in the Sigma rule.
• Upgrade WP Learn Manager to a patched version that addresses CVE-2021-47975.