The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues
1. On the dashboard, navigate to WP Courses > Courses > Add New > Video Embed Code (iframe) (in the Post settings), inject with XSS payload, such as ; 2. Click Update, and to trigger XSS payload, open URL path of course
CPE | Name | Operator | Version |
---|---|---|---|
wp-courses | lt | 2.0.44 |