CVE-2024-13599: 
WordPress vulnerability analysis and mitigation

The LearnPress WordPress LMS Plugin is affected by a Stored Cross-Site Scripting vulnerability (CVE-2024-13599) discovered in versions up to and including 4.2.7.5. The vulnerability was disclosed on January 25, 2025, and affects the WordPress plugin's lesson name functionality (NVD).

The vulnerability stems from insufficient input sanitization and output escaping of lesson names in the LearnPress plugin. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

When exploited, this vulnerability allows authenticated attackers with LP Instructor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 4.2.7.5.1. Site administrators are strongly advised to update their LearnPress plugin to this version or later to mitigate the risk (WordPress Plugin).