WP Learn Manager 1.1.2 has a stored cross‑site scripting flaw that allows an unauthenticated attacker to inject malicious JavaScript via the fieldtitle parameter. By sending a specially crafted POST request to the jslm_fieldordering endpoint, the attacker can store XSS payloads that are executed whenever an administrator opens the field ordering interface. This results in arbitrary script execution in the admin’s browser context and may enable malicious client‑side actions.

This vulnerability is known to affect the WordPress plugin WP Learn Manager, version 1.1.2. The available data does not specify any other versions as vulnerable, so current knowledge indicates that only this specific build is confirmed at risk.

The flaw carries a CVSS score of 5.1, indicating moderate severity, and its EPSS score is < 1%, indicating a very low probability of exploitation. The exploitation path is remote and requires no authentication, which increases the risk of exploitation by a wide range of attackers. Because the vulnerability is not listed in CISA’s KEV catalog, no known widespread exploitation campaigns have been reported, but the attack vector remains straightforward: unauthenticated POST to the ordering page followed by an admin’s visit to the interface triggers client‑side script execution.