CVE-2021-24707: 
WordPress vulnerability analysis and mitigation

The Learning Courses WordPress plugin (CVE-2021-24707) contains a stored Cross-Site Scripting (XSS) vulnerability affecting versions before 5.0. The vulnerability was discovered and publicly disclosed on December 29, 2021. This security issue affects the nd-learning WordPress plugin and was identified by researcher dhananjaygarg192002 (WPScan).

The vulnerability stems from improper sanitization and escaping of the Email PDT identity token settings in the plugin. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited even when the unfiltered_html capability is disallowed (NVD).

When exploited, this vulnerability allows high-privilege users to perform cross-site scripting attacks. The impact is considered moderate as it requires high privileges to exploit and can lead to limited confidentiality and integrity breaches (NVD).

The vulnerability has been fixed in version 5.0 of the Learning Courses WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).