The plugin does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Create/Edit a Course, add a new Topic and put the following payload as Topic Name: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be trigged when editing the topic Create/edit a lesson (Click on a topic to display the create button), then put the following payload in the Lesson Name field: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when editing the lesson
2022-09-26 (about 8 months ago)
2022-09-26 (about 8 months ago)
2022-09-26 (about 8 months ago)