CVE-2024-13128: 
WordPress vulnerability analysis and mitigation

The LearnPress WordPress plugin before version 4.2.7.5.1 contains a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13128. The vulnerability was discovered by Bob Matyas and publicly disclosed on December 24, 2024. This security issue affects the plugin's settings functionality, specifically impacting high-privilege users such as administrators (WPScan).

The vulnerability stems from insufficient sanitization and escaping of certain plugin settings, particularly in the advanced settings section. The issue specifically affects the 'Width Container' field in the plugin's advanced settings. The vulnerability has been assigned a CVSS 3.1 score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This security flaw can be exploited even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan, NVD).

When exploited, this vulnerability allows administrators to perform Stored Cross-Site Scripting attacks. The stored XSS payload can be executed when users view affected courses, potentially impacting the security of the WordPress installation and its users (WPScan).

The vulnerability has been patched in LearnPress version 4.2.7.5.1. Users are strongly advised to update their LearnPress plugin to this version or later to mitigate the security risk (WPScan).