CVE-2021-24702: 
WordPress vulnerability analysis and mitigation

The LearnPress WordPress plugin before version 4.1.3.1 contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-24702. The vulnerability was discovered and publicly disclosed on September 20, 2021. The issue affects the course settings functionality within the LearnPress plugin, where various input fields lack proper sanitization and escaping mechanisms (WPScan).

The vulnerability stems from improper sanitization and escaping of various inputs within course settings. Multiple fields are affected when adding new courses, including the External Link field in Course Settings > General, and several fields under Course Settings > Extra Information (Requirements, Target Audience, Key Features, and FAQ Title). The vulnerability has been assigned a CVSS score of 3.8 (low severity) and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan).

The vulnerability allows high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed. Attackers can inject malicious web scripts through various course setting fields, potentially compromising the security of the website and its users (WPScan).

The vulnerability has been patched in LearnPress version 4.1.3.1. Users are advised to update their LearnPress plugin to this version or later to mitigate the security risk (WPScan).