CVE-2024-5576 in Tutor LMS Elementor Addons Plugin
Summary
by MITRE • 08/20/2024
The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'course_carousel_skin' attribute within the plugin's Course Carousel widget in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2025
The vulnerability identified as CVE-2024-5576 affects the Tutor LMS Elementor Addons plugin for WordPress, specifically targeting the Course Carousel widget functionality. This represents a critical security flaw that undermines the integrity of WordPress sites utilizing this plugin, particularly those with multiple user roles and contributor-level access. The vulnerability exists in all versions up to and including 2.1.4, making it a widespread concern for WordPress administrators who have not yet updated their installations.
The technical flaw stems from insufficient input sanitization and output escaping mechanisms within the plugin's codebase. When attackers exploit this vulnerability through the 'course_carousel_skin' attribute, they can inject malicious JavaScript code that gets stored within the plugin's data structures. This stored payload becomes persistent and executes whenever users access pages containing the affected widget, creating a classic stored cross-site scripting scenario. The vulnerability specifically targets the plugin's handling of user-supplied attributes without proper validation or sanitization processes.
Authenticated attackers with contributor-level access or higher can leverage this vulnerability to execute arbitrary web scripts in the context of affected websites. This privilege escalation capability significantly amplifies the potential impact, as contributors typically have the ability to create and modify content, making them a realistic threat vector for exploitation. The stored nature of the XSS vulnerability means that once the malicious payload is injected, it will persistently affect all users who view the compromised pages, potentially leading to session hijacking, credential theft, or further compromise of the affected WordPress installation.
The operational impact of CVE-2024-5576 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including data exfiltration, defacement of content, or redirection to malicious sites. This vulnerability directly violates the principle of least privilege and demonstrates inadequate input validation practices that are fundamental to secure web application development. From an industry standards perspective, this vulnerability aligns with CWE-79, which describes Cross-Site Scripting vulnerabilities, and represents a clear violation of secure coding practices outlined in various security frameworks including those referenced in the MITRE ATT&CK framework under the technique of Web Application Attacks.
Organizations affected by this vulnerability should immediately update to the latest version of the Tutor LMS Elementor Addons plugin to remediate the stored XSS vulnerability. Additionally, administrators should implement proper input validation and output escaping mechanisms within their WordPress environments, particularly for plugins that handle user-generated content. Regular security audits and monitoring of plugin updates are essential practices to prevent exploitation of similar vulnerabilities. The incident underscores the importance of maintaining current security patches and implementing robust access controls to limit the potential impact of authenticated attacks. System administrators should also consider implementing web application firewalls and content security policies as additional layers of defense against such cross-site scripting attacks.