CVE-2021-25006: 
WordPress vulnerability analysis and mitigation

The MOLIE WordPress plugin through version 0.5 contains a Reflected Cross-Site Scripting vulnerability (CVE-2021-25006). The vulnerability was discovered by Jeremie Amsellem and was publicly disclosed on November 29, 2021. The issue affects the molie-instructure-canvas-linking-tool plugin and has no known fix available (WPScan).

The vulnerability exists because the plugin does not properly escape the course_id parameter before outputting it back in the admin dashboard. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, WPScan).

If exploited, this vulnerability could allow attackers to execute arbitrary web scripts in the context of the admin dashboard. This could potentially lead to theft of sensitive data or manipulation of the admin interface when an administrator visits a specially crafted URL (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the MOLIE WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to the admin dashboard (WPScan).