PatchSiren cyber security CVE debrief
CVE-2021-47975 Wordpress CVE debrief
CVE-2021-47975 describes a stored cross-site scripting issue in WP Learn Manager 1.1.2. The supplied record says attacker-supplied content in the fieldtitle parameter can be posted to the jslm_fieldordering page and later execute in an administrator’s browser when the field ordering interface is viewed.
- Vendor
- Wordpress
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-16
- Original CVE updated
- 2026-05-16
- Advisory published
- 2026-05-16
- Advisory updated
- 2026-05-16
Who should care
WordPress site owners, administrators, and security teams running WP Learn Manager 1.1.2 should treat this as relevant, especially where untrusted users can influence plugin-managed form fields or where administrators regularly review the field ordering interface.
Technical summary
The supplied description identifies a stored XSS condition in the WP Learn Manager plugin. Malicious script content is accepted via the fieldtitle parameter on the jslm_fieldordering page and is then rendered back in the admin-facing field ordering interface, creating a browser-side code execution risk when an administrator views the stored payload. The NVD record maps the issue to CWE-79.
Defensive priority
Medium priority. Stored XSS in an admin-facing workflow can lead to session compromise, forced actions, or credential theft if malicious content is rendered in the browser, so affected installations should be reviewed promptly.
Recommended defensive actions
- Inventory WordPress sites for WP Learn Manager 1.1.2 and any other installed versions noted by your environment.
- Check whether the plugin is still needed; remove or disable it if it is not required.
- Apply the vendor’s fix or upgrade path if a patched release is available from the plugin maintainers.
- Review the field ordering interface and related admin views for unsafe output encoding or reflected stored content.
- Restrict who can submit or modify plugin-managed fields and limit administrator exposure to untrusted content.
- Search for suspicious script content in stored fieldtitle values and review recent admin activity for signs of browser-side abuse.
Evidence notes
The supplied source corpus includes the NVD record for CVE-2021-47975, which marks the issue as received and maps it to CWE-79. The record’s description states that WP Learn Manager 1.1.2 has a stored XSS issue involving the fieldtitle parameter and the jslm_fieldordering page. Supporting references in the corpus point to the WordPress plugin page, the plugin’s site, a VulnCheck advisory, and an Exploit-DB entry. The corpus does not provide a verified fixed version or broader impact details beyond the stored XSS description and CVSS 5.1 medium severity.
Official resources
The supplied CVE/NVD record timestamps are 2026-05-16, which should be treated as record metadata rather than the original flaw introduction date. The corpus does not provide the first disclosure date or a verified patch release date.