Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network reflected XSS needing victim click (UI:R) with browser-context scope change (S:C); low confidentiality/integrity impact but no genuine availability effect, so A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.
AnalysisAI
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link. Reported by Patchstack, the flaw carries CVSS 7.1 with a scope change, reflecting cross-context impact; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires no authentication (PR:N) but does require user interaction (UI:R): a victim must open an attacker-crafted link or request targeting a reflected input parameter of the LMS theme on a site running version 9.7 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates network-reachable, low-complexity, unauthenticated exploitation, but critically requires user interaction (UI:R) - a victim must click or load an attacker-supplied link - which meaningfully lowers real-world exploitability compared to a no-interaction flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a site running the LMS theme with a malicious script embedded in a reflected parameter and delivers it via phishing email, forum post, or malicious ad. When a logged-in administrator or ordinary visitor opens the link, the theme reflects the payload into the page and the script executes in their browser, enabling session-token theft, CSRF-style actions, or redirection. … |
| Remediation | Upgrade the LMS theme to a release newer than 9.7 once the vendor/Patchstack advisory confirms a fixed version; the supplied data does not include an exact patched version number, so verify the current fixed release directly via the Patchstack advisory (https://patchstack.com/database/wordpress/theme/lms/vulnerability/wordpress-lms-theme-9-7-reflected-cross-site-scripting-xss-vulnerability) before scheduling. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress deployments for designthemes LMS theme; identify affected versions and document business criticality of each instance. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
lms version <= LMS_011123 contains a Local File Disclosure vulnerability in File reading functionality in LMS module tha
Path traversal in Frappe Learning Management System (LMS) versions 2.50.0 and below allows authenticated users with cour
OS command injection in LMS (LAN Management System) before commit 9fcb4de allows authenticated adjacent attackers to exe
Error-based SQL injection in LMS (LAN Management System) before commit 4cb30a7 allows authenticated attackers to extract
Stored cross-site scripting (XSS) in Frappe Learning Management System versions 2.27.0 through 2.47.x allows unauthentic
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores
An issue in Mirapolis LMS 4.6.XX allows authenticated users to exploit an Insecure Direct Object Reference (IDOR) vulner
Reflected XSS in LAN Management System (LMS) before commit 9c5651b allows network-positioned attackers to inject arbitra
Metadata injection in Frappe LMS prior to version 2.53.0 enables authenticated users to embed crafted content into user-
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41329
GHSA-mmf8-rfrr-cx8x