Skip to main content

Wp Courses Lms EUVDEUVD-2026-15815

| CVE-2026-31914 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-hccm-r7qg-54x5
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15815
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.

AnalysisAI

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the hookandhook WP Courses LMS WordPress plugin through version 3.2.26, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects all installations of WP Courses LMS up to and including version 3.2.26, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users. No CVSS score, EPSS data, or active KEV/POC information is currently available in public sources, though the vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15815.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses cross-site scripting flaws where untrusted user input is rendered in web pages without proper sanitization or encoding. The specific variant is DOM-Based XSS, meaning the vulnerable code processes user-controlled input through DOM manipulation (likely via JavaScript) without adequate output encoding. The affected product is hookandhook's WP Courses LMS plugin (CPE: cpe:2.3:a:hookandhook:wp_courses_lms:*:*:*:*:*:*:*:*), a WordPress educational/learning management system plugin. DOM-based XSS differs from reflected/stored variants in that the attack payload never touches the server; instead, malicious scripts are injected via client-side DOM APIs (document.write, innerHTML, etc.) using data from sources like URL fragments or localStorage.

RemediationAI

Administrators should immediately upgrade the WP Courses LMS plugin to a patched version released by hookandhook after version 3.2.26; consult the vendor's official security advisory and WordPress plugin repository for the latest stable release. Until patching is feasible, implement Content Security Policy (CSP) headers on the WordPress site to restrict inline script execution, disable the plugin if not actively in use, and apply the principle of least privilege to user roles that interact with course functionality. Review server access logs for suspicious URL patterns or encoded payloads that may indicate exploitation attempts. Additional information and confirmation of patch availability should be sought directly from hookandhook's security notifications or the WordPress plugin repository.

Share

EUVD-2026-15815 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy