CVE-2026-31914

Vulnerability

Overview CVE-2026-31914 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the WP Courses LMS plugin for WordPress, affecting versions from n/a through 3.2.26. The issue stems from improper neutralization of user input during web page generation, enabling an attacker to inject arbitrary JavaScript into the DOM of a victim's browser [1].

Exploitation

Prerequisites Exploitation requires user interaction, such as clicking a crafted link or visiting a maliciously prepared page. While the vulnerability can be initiated by an authenticated user with specific roles, successful execution depends on a privileged user performing an action that triggers the injected script [1].

Impact

An attacker exploiting this vulnerability can inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) that execute when visitors view the affected site. This could lead to session hijacking, defacement, or phishing attacks, posing a moderate risk to site integrity and user privacy [1].

Mitigation

The vendor has released version 3.2.27, which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks, and auto-update features can be enabled for vulnerable plugins [1].