Rocket LMS 1.9 Exploit, Persistent Cross Site Scripting (XSS)

# Title: Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS)
# Date: 04/16/2024
# Exploit Author: Sergio Medeiros
# Vendor Homepage:
# Software Link:
# Version: 1.9
# Tested on Firefox and Chrome Browsers
# Patched Version: Patch Pending
# Category: Web Application
# CVE: CVE-2024-34241
# Exploit link:
# PoC:

In order to exploit this systemic stored XSS vulnerability, identify theareas in the web application which has a WYSIWIG editor used, for example, the create/edit course description section.
Input random text in the description section, and create the course while intercepting the request with BurpSuite or your preferred proxy of choice.

In the *description* parameter or the associated parameter that is handling the user input related to the WYSIWIG editor, input the following payload and then issue the request:

All rights reserved 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD