CVE-2026-24584

Vulnerability

Overview

CVE-2026-24584 describes a DOM-Based Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Tutor LMS BunnyNet Integration, affecting versions from n/a through 1.0.0. The issue arises from improper neutralization of user input during web page generation, enabling an attacker to inject malicious scripts that execute in the victim's browser within the context of the vulnerable site. [1]

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a malicious page. While the attack can be initiated by a privileged user role, successful execution depends on an end-user's action. This DOM-based variant means the payload manipulates the client-side environment, making it harder to detect via server-side filters. [1]

Impact

An attacker can inject arbitrary scripts, redirects, or advertisements into the website, which will execute when visitors load the affected page. This could lead to data theft, session hijacking, or defacement. The vulnerability is rated Medium with a CVSS v3 score of 5.9, and the vendor notes that such XSS flaws are often used in mass-exploit campaigns against WordPress sites. [1]

Mitigation

The vendor has released version 1.0.1, which fixes the issue. Users are strongly advised to update immediately. For those unable to update, temporary measures include requesting assistance from a hosting provider or web developer. Patchstack users can enable auto-updates to apply the fix automatically. [1]