Vendor Themeum
Affected product Tutor Lms
Affected versions <=2.0.9
Vulnerability type CWE-79: Cross-Site Scripting
Description The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Status fixed in 2.1.0
Reporter So Sakaguchi, GMO Cybersecurity by Ierae, Inc.