Improper neutralization of script‑related HTML tags allows an attacker to inject arbitrary HTML or JavaScript into pages generated by the Tutor LMS plugin. This basic XSS flaw is triggered when user‑controlled content is rendered without proper escaping, enabling malicious code to run in the victim’s browser. The vulnerability is classified as CWE‑80, highlighting that the plugin fails to encode or sanitize output before displaying it.

Version identifiers affected are all releases of the Tutor LMS WordPress plugin up to and including 3.4.0, including the current 3.4.0 version. The plugin is distributed by Themeum under the name Tutor LMS. Because the vulnerability exists in all earlier releases, any site still running version 3.4.0 or older must be considered vulnerable until patched.

The score listed in CVSS is 4.3, indicating medium severity, and the EPSS score is less than 1 %, implying a very low likelihood of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web‑based injection, whereby an attacker submits malicious content that the plugin later serves to visitors. Local privileges or administrative access are not required according to the description, so the flaw can affect any user who can create or edit content within Tutor LMS.