Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.
AnalysisAI
A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the hookandhook WP Courses LMS WordPress plugin through version 3.2.26, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects all installations of WP Courses LMS up to and including version 3.2.26, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users. No CVSS score, EPSS data, or active KEV/POC information is currently available in public sources, though the vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15815.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses cross-site scripting flaws where untrusted user input is rendered in web pages without proper sanitization or encoding. The specific variant is DOM-Based XSS, meaning the vulnerable code processes user-controlled input through DOM manipulation (likely via JavaScript) without adequate output encoding. The affected product is hookandhook's WP Courses LMS plugin (CPE: cpe:2.3:a:hookandhook:wp_courses_lms:*:*:*:*:*:*:*:*), a WordPress educational/learning management system plugin. DOM-based XSS differs from reflected/stored variants in that the attack payload never touches the server; instead, malicious scripts are injected via client-side DOM APIs (document.write, innerHTML, etc.) using data from sources like URL fragments or localStorage.
RemediationAI
Administrators should immediately upgrade the WP Courses LMS plugin to a patched version released by hookandhook after version 3.2.26; consult the vendor's official security advisory and WordPress plugin repository for the latest stable release. Until patching is feasible, implement Content Security Policy (CSP) headers on the WordPress site to restrict inline script execution, disable the plugin if not actively in use, and apply the principle of least privilege to user roles that interact with course functionality. Review server access logs for suspicious URL patterns or encoded payloads that may indicate exploitation attempts. Additional information and confirmation of patch availability should be sought directly from hookandhook's security notifications or the WordPress plugin repository.
More in Wp Courses Lms
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15815
GHSA-hccm-r7qg-54x5