WebinarPress <= 1.33.9 - Reflected Cross-Site Scripting

Wordfence Intelligence   >   Vulnerability Database   >   WebinarPress <= 1.33.9 - Reflected Cross-Site Scripting
6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE CVE-2024-31256
CVSS 6.1 (Medium)
Publicly Published April 5, 2024
Last Updated April 11, 2024
Researcher Le Ngoc Anh - sun*inc

Description

The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.33.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for WebinarPress – Webinar System for WordPress

WebinarPress – Webinar System for WordPress

Software Type Plugin
Software Slug wp-webinarsystem (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.33.10, or a newer patched version
Affected Version
  • <= 1.33.9
Patched Version
  • 1.33.10

Recent vulnerabilities in WebinarPress – Webinar System for WordPress

WebinarPress <= 1.33.28 - Missing Authorization
4.3
CVE-2025-62972
Oct 19, 2025
Researcher: Legion Hunter
WebinarPress <= 1.33.27 - Authenticated (Administrator+) Server-Side Request Forgery
5.5
CVE-2025-47635
May 7, 2025
Researcher: Trương Hữu Phúc (truonghuuphuc)
WebinarPress <= 1.33.27 - Open Redirect
6.1
CVE-2025-32693
Apr 9, 2025
Researcher: Le Ngoc Anh
WebinarPress <= 1.33.27 - Authenticated (Administrator+) Stored Cross-Site Scripting
4.4
CVE-2025-31883
Apr 1, 2025
Researcher: Pham Van Tam
WebinarPress <= 1.33.27 - Missing Authorization
4.3
CVE-2025-31882
Apr 1, 2025
Researcher: Peter Thaleikis
WordPress Webinar Plugin – WebinarPress <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Webinar Updates
8.8
CVE-2024-11271
Jan 7, 2025
Researcher: Lucio Sá
WordPress Webinar Plugin – WebinarPress <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation
8.8
CVE-2024-11270
Jan 7, 2025
Researcher: Lucio Sá
WebinarPress <= 1.33.20 - Cross-Site Request Forgery
4.3
CVE-2024-43339
Aug 16, 2024
Researcher: Le Ngoc Anh
WordPress Webinar Plugin – WebinarPress <= 1.33.20 - Cross-Site Request Forgery
4.3
CVE-2024-34818
May 9, 2024
Researcher: Majed Refaea
# Title CVE ID CVSS Researchers Date
1 WebinarPress <= 1.33.28 - Missing Authorization CVE-2025-62972 4.3 Legion Hunter October 19, 2025
2 WebinarPress <= 1.33.27 - Authenticated (Administrator+) Server-Side Request Forgery CVE-2025-47635 5.5 Trương Hữu Phúc (truonghuuphuc) May 7, 2025
3 WebinarPress <= 1.33.27 - Open Redirect CVE-2025-32693 6.1 Le Ngoc Anh April 9, 2025
4 WebinarPress <= 1.33.27 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2025-31883 4.4 Pham Van Tam April 1, 2025
5 WebinarPress <= 1.33.27 - Missing Authorization CVE-2025-31882 4.3 Peter Thaleikis April 1, 2025
6 WordPress Webinar Plugin – WebinarPress <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Webinar Updates CVE-2024-11271 8.8 Lucio Sá January 7, 2025
7 WordPress Webinar Plugin – WebinarPress <= 1.33.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation CVE-2024-11270 8.8 Lucio Sá January 7, 2025
8 WebinarPress <= 1.33.20 - Cross-Site Request Forgery CVE-2024-43339 4.3 Le Ngoc Anh August 16, 2024
9 WordPress Webinar Plugin – WebinarPress <= 1.33.20 - Cross-Site Request Forgery CVE-2024-34818 4.3 Majed Refaea May 9, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation