Cyber Resilience

CVE-2023-0236

MediumPublic PoC

Published: 06 February 2023

Published
06 February 2023
Modified
25 March 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2008 95.6th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0236 is a medium-severity an unspecified weakness vulnerability in Themeum Tutor Lms. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-0236 affects the Tutor LMS WordPress plugin before version 2.0.10 and consists of reflected cross-site scripting caused by missing sanitization and escaping of the reset_key and user_id parameters before they are written back into HTML attributes.

An unauthenticated remote attacker can supply crafted values for these parameters in a URL and induce a high-privilege user such as an administrator to visit the link, resulting in script execution within the victim's session that yields limited confidentiality and integrity impact across origins.

The referenced WPScan advisory at https://wpscan.com/vulnerability/503835db-426d-4b49-85f7-c9a20d6ff5b8 documents the flaw and the affected versions.

The associated EPSS score stands at 0.2008 with no material change from its recorded peak.

EU & UK References

Vulnerability details

The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

themeum
tutor lms
≤ 2.0.10

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References