Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MantraBrain Sikshya LMS sikshya allows Reflected XSS.This issue affects Sikshya LMS: from n/a through <= 0.0.21.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious script into web pages rendered by the Sikshya LMS WordPress plugin. Because user input is not properly sanitized before being included in the page, an attacker can send a crafted URL that causes arbitrary JavaScript to execute in the victim’s browser. The primary impact is the potential theft of session cookies, credential compromise, or malicious actions performed on behalf of the user.

Affected Systems

WordPress installations using the MantraBrain Sikshya LMS plugin, versions from the first release up to and including 0.0.21, are affected.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA’s KEV catalog. Attacks would likely involve an attacker crafting a malicious URL that a user clicks or is otherwise induced to visit, resulting in reflected XSS execution. No specialized prerequisites beyond the presence of the vulnerable plugin are required.

Generated by OpenCVE AI on May 2, 2026 at 05:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Sikshya LMS plugin to a version greater than 0.0.21 to eliminate the reflected XSS vector.
  • If upgrading is not feasible, deactivate or uninstall the plugin to remove the vulnerability.
  • Configure a Web Application Firewall or use a security plugin to filter and block malicious script inputs, and monitor site logs for XSS attempts.

Generated by OpenCVE AI on May 2, 2026 at 05:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3831 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MantraBrain Sikshya LMS allows Reflected XSS. This issue affects Sikshya LMS: from n/a through 0.0.21.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MantraBrain Sikshya LMS allows Reflected XSS. This issue affects Sikshya LMS: from n/a through 0.0.21. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MantraBrain Sikshya LMS sikshya allows Reflected XSS.This issue affects Sikshya LMS: from n/a through <= 0.0.21.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 03 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MantraBrain Sikshya LMS allows Reflected XSS. This issue affects Sikshya LMS: from n/a through 0.0.21.
Title WordPress Sikshya LMS Plugin <= 0.0.21 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:30.458Z

Reserved: 2025-01-23T14:51:25.978Z

Link: CVE-2025-24630

cve-icon Vulnrichment

Updated: 2025-02-03T16:35:33.313Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:27.730

Modified: 2026-06-17T08:59:20.830

Link: CVE-2025-24630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')