Skip to main content

Ultimate Learning Pro CVE-2026-28113

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.1.

AnalysisAI

Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) affecting the Ultimate Learning Pro WordPress plugin (indeed-learning-pro). Reflected XSS occurs when user-supplied input is immediately echoed back in HTTP responses without proper sanitization or encoding. The plugin fails to properly neutralize input during web page generation, allowing attackers to inject arbitrary JavaScript or HTML that executes in victims' browsers within the security context of the WordPress site. The CVSS vector indicates network-based exploitation with low attack complexity, requiring no authentication (PR:N) but necessitating user interaction (UI:R). The changed scope (S:C) means the vulnerable component (the plugin) differs from the impacted component (the user's browser/session), typical of XSS vulnerabilities where plugin flaws impact end-user security.

Affected ProductsAI

WordPress Ultimate Learning Pro plugin (indeed-learning-pro) versions 3.9.1 and earlier are affected. The vulnerability report from Patchstack (https://patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-1-reflected-cross-site-scripting-xss-vulnerability) provides database-level confirmation. The plugin is developed by azzaroco. All WordPress installations with this plugin at version 3.9.1 or below are vulnerable to reflected XSS attacks requiring victim interaction.

RemediationAI

Upgrade Ultimate Learning Pro plugin to a version newer than 3.9.1 as soon as the vendor releases a patched version. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-1-reflected-cross-site-scripting-xss-vulnerability) and the plugin's official WordPress repository for update announcements. If immediate patching is not possible, implement compensating controls: enable WordPress Content Security Policy (CSP) headers to restrict inline script execution, reducing XSS impact (trade-off: may break legitimate plugin functionality requiring inline scripts); deploy web application firewall (WAF) rules to filter common XSS patterns in URL parameters (trade-off: risk of false positives blocking legitimate traffic); restrict plugin usage to trusted admin users only and disable on public-facing pages if feasible (trade-off: reduces plugin utility). Educate users about not clicking untrusted links leading to the WordPress site. None of these workarounds eliminate the vulnerability but they reduce exploitation surface until patching.

Share

CVE-2026-28113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy