VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 23, 2021· Updated Aug 3, 2024

Video Lessons Manager - Admin+ Stored Cross-Site Scripting

CVE-2021-24713

Description

The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • WordPress/Video Lessons Managerllm-create
    Range: <1.7.2
  • TODO/Video Lessons Manager – Best Video Course LMSv5
    Range: 1.7.2
  • TODO/Video Lessons Manager Pro – Best Video Course LMSv5
    Range: 3.5.9

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization and output escaping in plugin settings update handling allows stored cross-site scripting."

Attack vector

An attacker with high privileges (Administrator-level) can inject malicious JavaScript into plugin settings fields that are not properly sanitized or escaped before being stored [ref_id=1]. When the settings are later rendered in the WordPress admin panel, the injected script executes in the context of other high-privilege users' browsers [CWE-79]. The attack requires authenticated access at the Administrator level and does not require any special network path beyond normal WordPress admin access.

Affected code

The vulnerability exists in the settings update functionality of the Video Lessons Manager (cm-video-lesson-manager) plugin before version 1.7.2 and the Video Lessons Manager Pro (cm-video-lesson-manager-pro) plugin before version 3.5.9 [ref_id=1]. The advisory does not specify exact file paths or function names.

What the fix does

The advisory states the fix is included in version 1.7.2 of the free plugin and version 3.5.9 of the Pro plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation involves properly sanitizing and escaping values when updating plugin settings to prevent stored cross-site scripting [ref_id=1]. Administrators should update to the patched versions.

Preconditions

  • authAttacker must have Administrator-level access to the WordPress site
  • configThe vulnerable plugin (Video Lessons Manager or Video Lessons Manager Pro) must be installed and activated

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.