Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

This vulnerability arises from improper neutralization of input when generating web pages, allowing a DOM‑based cross‑site scripting attack that can inject arbitrary JavaScript into the victim browser. The attacker can execute code in the victim’s context, potentially accessing cookies, session data, or modifying page content, which may lead to data theft, session hijacking, or defacement.

Affected Systems

The flaw affects the WP Courses LMS WordPress plugin by hookandhook, specifically all releases up to and including version 3.2.26. No other products or versions are identified as impacted.

Risk and Exploitability

The assessed severity is a medium CVSS score of 6.5, indicating significant risk to authenticated users who load the affected pages. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not be actively exploited yet. The attack vector is client‑side; an attacker needs to entice a user to view a crafted URL or input on a site running the vulnerable plugin, after which malicious code runs in the user’s browser.

Generated by OpenCVE AI on March 25, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Courses LMS plugin to version 3.2.27 or later, which removes the vulnerable input handling.
  • If upgrading immediately is not feasible, restrict the plugin’s exposed input fields to allow only safe characters, or apply server‑side filtering to sanitize any user‑supplied data.
  • Implement a strong Content Security Policy (CSP) that disallows inline scripts and limits trusted script sources, reducing the impact of any remaining XSS vectors.

Generated by OpenCVE AI on March 25, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hookandhook
Hookandhook wp Courses Lms
Wordpress
Wordpress wordpress
Vendors & Products Hookandhook
Hookandhook wp Courses Lms
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.
Title WordPress WP Courses LMS plugin <= 3.2.26 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Hookandhook Wp Courses Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:23:35.593Z

Reserved: 2026-03-10T10:59:45.898Z

Link: CVE-2026-31914

cve-icon Vulnrichment

Updated: 2026-03-25T20:22:57.632Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:58.643

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-31914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:33Z

Weaknesses