Ultimate Learning Pro CVE-2026-28113
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.1.
AnalysisAI
Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) affecting the Ultimate Learning Pro WordPress plugin (indeed-learning-pro). Reflected XSS occurs when user-supplied input is immediately echoed back in HTTP responses without proper sanitization or encoding. The plugin fails to properly neutralize input during web page generation, allowing attackers to inject arbitrary JavaScript or HTML that executes in victims' browsers within the security context of the WordPress site. The CVSS vector indicates network-based exploitation with low attack complexity, requiring no authentication (PR:N) but necessitating user interaction (UI:R). The changed scope (S:C) means the vulnerable component (the plugin) differs from the impacted component (the user's browser/session), typical of XSS vulnerabilities where plugin flaws impact end-user security.
Affected ProductsAI
WordPress Ultimate Learning Pro plugin (indeed-learning-pro) versions 3.9.1 and earlier are affected. The vulnerability report from Patchstack (https://patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-1-reflected-cross-site-scripting-xss-vulnerability) provides database-level confirmation. The plugin is developed by azzaroco. All WordPress installations with this plugin at version 3.9.1 or below are vulnerable to reflected XSS attacks requiring victim interaction.
RemediationAI
Upgrade Ultimate Learning Pro plugin to a version newer than 3.9.1 as soon as the vendor releases a patched version. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-1-reflected-cross-site-scripting-xss-vulnerability) and the plugin's official WordPress repository for update announcements. If immediate patching is not possible, implement compensating controls: enable WordPress Content Security Policy (CSP) headers to restrict inline script execution, reducing XSS impact (trade-off: may break legitimate plugin functionality requiring inline scripts); deploy web application firewall (WAF) rules to filter common XSS patterns in URL parameters (trade-off: risk of false positives blocking legitimate traffic); restrict plugin usage to trusted admin users only and disable on public-facing pages if feasible (trade-off: reduces plugin utility). Educate users about not clicking untrusted links leading to the WordPress site. None of these workarounds eliminate the vulnerability but they reduce exploitation surface until patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today