The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues
1. On the dashboard, navigate to WP Courses > Courses > Add New > Video Embed Code (iframe) (in the Post settings), inject with <iframe> XSS payload, such as <iframe src="javascript:alert(document.cookie)"></iframe>; <iframe src="javascript:%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29"></iframe>
2. Click Update, and to trigger XSS payload, open URL path of course