Masteriyo LMS – eLearning and Online Course Builder for WordPress <= 1.13.3 - Authenticated (Student+) Stored Cross-Site Scripting via Ask a Question Functionality

Vulnerability

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin (learning-management-system) versions up to and including 1.13.3 [1][2] contain a stored cross-site scripting vulnerability. The question content parameter lacks proper input sanitization and output escaping, allowing arbitrary web scripts to be injected into pages that execute when other users access them.

Exploitation

An authenticated attacker with at least student-level access can inject malicious scripts via the question's content parameter. The attacker does not require any unusual network position or additional privileges; they simply need to submit a crafted question through the plugin's interface. The injected script will execute for any user who subsequently views the affected page, including teachers and administrators.

Impact

Successful exploitation results in stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is broad due to the authenticated nature and the potential for targeting higher-privileged users who view the infected content.

Mitigation

The vulnerability exists in all versions up to and including 1.13.3. As of the publication date (2024-10-29), the fix should be released in version 2.2.1 or later, which was last updated on 2026-05-20 [1]. Users should update to the latest version as soon as it becomes available. No workaround or KEV listing was provided in the references.