{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31914", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-10T10:59:45.898Z", "datePublished": "2026-03-25T16:14:56.894Z", "dateUpdated": "2026-03-25T20:23:35.593Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-courses", "product": "WP Courses LMS", "vendor": "hookandhook", "versions": [{"changes": [{"at": "3.2.27", "status": "unaffected"}], "lessThanOrEqual": "<= 3.2.26", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Duc Canh (canhnguyen26) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.605Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.<p>This issue affects WP Courses LMS: from n/a through <= 3.2.26.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:56.894Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-courses/vulnerability/wordpress-wp-courses-lms-plugin-3-2-26-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WP Courses LMS plugin <= 3.2.26 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31914", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:22:56.646156Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:23:35.593Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31914", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:22:56.646156Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:22:57.632Z"}}], "cna": {"title": "WordPress WP Courses LMS plugin <= 3.2.26 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Duc Canh (canhnguyen26) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "affected": [{"vendor": "hookandhook", "product": "WP Courses LMS", "versions": [{"status": "affected", "changes": [{"at": "3.2.27", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.2.26"}], "packageName": "wp-courses", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:35.605Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-courses/vulnerability/wordpress-wp-courses-lms-plugin-3-2-26-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.<p>This issue affects WP Courses LMS: from n/a through <= 3.2.26.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:56.894Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31914", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:23:35.593Z", "dateReserved": "2026-03-10T10:59:45.898Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:56.894Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26."}], "id": "CVE-2026-31914", "lastModified": "2026-03-25T21:16:41.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:58.643", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-courses/vulnerability/wordpress-wp-courses-lms-plugin-3-2-26-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:25:14.410971+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the WP Courses LMS plugin.", "If an upgrade cannot be performed immediately, disable or delete the plugin until a fix is released.", "Audit other installed plugins and themes for similar input handling that could be exploited, and sanitize or remove any vulnerable fields.", "Keep WordPress core, plugins, and themes up to date and perform regular security scans."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011site scripting via DOM\u2011based injection"}, "threat_synthesis": {"affected_systems": "The plugin is distributed by HookandHook as WP Courses LMS for WordPress. All installations running version 3.2.26 or earlier lack the fixes that were added in later releases. Any WordPress site that has this plugin installed, regardless of its configuration, is potentially exposed to the flaw.", "description_and_impact": "Improper neutralization of user input during web page generation in the WP Courses LMS plugin leads to a DOM\u2011based cross\u2011site scripting flaw. When a malicious user supplies specially crafted text that the plugin reflects in the page, arbitrary JavaScript can be executed in the browser of any visitor or administrator who loads that page. The weakness corresponds to CWE\u201179 and can allow attackers to deface content, steal session tokens, or redirect users to malicious sites.", "risk_and_exploitability": "No CVSS score or EPSS data are provided in the CVE record, and the vulnerability is not listed in the CISA KEV catalog. The flaw is likely exploitable through any input field or URL parameter that the plugin echoes back to the page, such as custom course descriptions or settings. Exploitation requires a victim\u2019s browser to load the affected page, so the attack is limited to those users. Despite the locality, the potential loss of confidentiality or integrity from malicious script execution is significant, warranting prompt action."}}}}, "created": "2026-03-25T21:43:48.113648+00:00", "updated": "2026-03-25T21:43:48.113671+00:00", "vendors": []}