The vulnerability is a stored cross‑site scripting flaw that arises from improper sanitization of user input during web page generation within the Themeum Tutor LMS Elementor Addons plugin. Attackers can inject and store malicious scripts that will run in the browsers of anyone who views the affected content, potentially enabling session hijacking, cookie theft, defacement, and phishing attacks. This weakness is a classic input validation failure (CWE‑79) and can compromise the confidentiality, integrity, and availability of the site’s user base.

The flaw impacts WordPress sites that use the Tutor LMS Elementor Addons plugin at versions up to 3.0.1. Any site deploying these plugin versions is susceptible; versions beyond 3.0.1 are not affected.

The CVSS score of 6.5 indicates a medium severity risk, but the EPSS score of less than 1 % suggests current exploitation attempts are unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply crafted input that the plugin accepts and later triggers on page load; no privilege escalation is indicated. The most practical exploitation path is through content editing interfaces that the plugin provides, allowing an attacker with content creation privileges to insert malicious scripts.