CVE-2024-13127: 
WordPress vulnerability analysis and mitigation

The LearnPress WordPress plugin before version 4.2.7.5.1 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13127. This security issue was discovered by Dmitrii Ignatyev and was publicly disclosed on December 24, 2024. The vulnerability affects the plugin's settings functionality, specifically impacting the general settings page of the plugin, particularly the 'Decimal separator' field (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw exists even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been classified under CWE-79 (Cross-Site Scripting) and has been assigned a CVSS score of 4.8 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks. The XSS payload becomes active when viewing Order Details pages, potentially affecting other users who access these pages (WPScan).

The vulnerability has been patched in version 4.2.7.5.1 of the LearnPress WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).