CVE-2021-24455: 
WordPress vulnerability analysis and mitigation

CVE-2021-24455 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Tutor LMS WordPress plugin versions below 1.9.2. The vulnerability was discovered by Phu Tran from techlabcorp.com and was publicly disclosed on June 28, 2021. The issue affects the plugin's Announcements feature, specifically impacting installations where users with Tutor Instructor privileges or higher have access to the system (WPScan).

The vulnerability stems from improper output escaping in the Summary field of Announcements within the Tutor LMS plugin. When outputting the Summary field in an attribute, the plugin fails to implement proper sanitization, allowing for the injection of malicious scripts. The vulnerability has been assigned a CVSS score of 8.2 (High) and is classified under CWE-79. The issue aligns with the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

When exploited, this vulnerability could lead to privilege escalation if the malicious content is viewed by an administrator. The stored XSS allows attackers to execute arbitrary JavaScript code in the context of other users' browsers, potentially compromising sensitive information or performing unauthorized actions on behalf of the victim (WPScan).

The vulnerability has been fixed in Tutor LMS version 1.9.2. Users are strongly advised to update their Tutor LMS plugin to this version or later to mitigate the risk (WPScan).