Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0.
Published: 2026-01-23
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (DOM‑based XSS) in Tutor LMS BunnyNet Integration plugin
Action: Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, which allows an attacker to inject malicious JavaScript that is executed in the victim’s browser context when the vulnerable plugin renders the content. The flaw is classified as CWE‑79 and results in DOM‑Based XSS.

Affected Systems

WordPress sites that use the Tutor LMS BunnyNet Integration plugin by Themeum with version 1.0.0 or earlier are affected. No specific fixed version is listed in the data, so the issue may still exist in any installation that has not been upgraded beyond 1.0.0.

Risk and Exploitability

The CVSS score of 5.9 reflects moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild. The plugin is not included in the CISA KEV catalog. The attack vector is user‑controlled input that is reflected into the page’s DOM, meaning an attacker must supply malicious data that the plugin outputs. While the potential impact is limited to client‑side code execution, the current likelihood of real‑world exploitation is low.

Generated by OpenCVE AI on April 16, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tutor LMS BunnyNet Integration plugin to the latest release that resolves the XSS flaw, or if no update is available, uninstall the plugin entirely to eliminate the vulnerability.
  • If the plugin cannot be removed immediately, apply a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted domains, thereby mitigating the impact of any injected code.
  • Ensure that any user‑generated content handled by the plugin is properly encoded before rendering, or apply a filter to sanitize plugin output to prevent script injection.

Generated by OpenCVE AI on April 16, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0.
Title WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:49.758Z

Reserved: 2026-01-23T12:32:07.880Z

Link: CVE-2026-24584

cve-icon Vulnrichment

Updated: 2026-01-27T19:55:23.008Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:16.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses