WordPress MasterStudy LMS Plugin <= 3.0.8 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The MasterStudy LMS WordPress Plugin for online courses and education, versions 3.0.7 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability. The issue arises from insufficient input sanitization and output escaping, allowing authenticated users with at least contributor-level access to inject malicious scripts. The vulnerable code path is reachable when a contributor or higher role creates or edits content such as courses, lessons, or quizzes. Affected plugin versions: up to and including 3.0.7. [1]

Exploitation

An attacker must have a WordPress account with contributor privileges or higher (e.g., author, editor, administrator) on a site running the vulnerable plugin. The attacker can inject arbitrary JavaScript payloads into fields that are later stored and displayed to other users, including administrators. The XSS is triggered when a victim (e.g., site admin) views the injected content, such as a course description or lesson material. No additional user interaction beyond viewing the page is required from the victim. The specific fields vulnerable are not detailed in the available reference, but the vulnerability is classified as stored XSS. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, cookie theft, redirection to malicious sites, defacement, or other actions that the victim user can perform. Since the attacker can target administrators, the impact extends to potential full site compromise, including installation of backdoors, creation of new admin accounts, or exfiltration of sensitive data. The privilege level attained is that of the victim user; targeting an admin yields full administrative control. [1]

Mitigation

The official plugin repository lists the current version as 3.7.32, but the specific fix for this vulnerability is not documented in the provided reference. The plugin author, StylemixThemes, likely addressed this issue in a later release (after 3.0.7). Users should upgrade to the latest available version (3.7.32 or higher) and review the plugin changelog for mention of CVE-2023-35090. No workarounds are provided in the reference. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]