The plugin does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues
1. On the dashboard, navigate to WP Courses > Courses > Add New > Video Embed Code (iframe) (in the Post settings), inject with <iframe> XSS payload, such as <iframe src="javascript:alert(document.cookie)"></iframe>; <iframe src="javascript:%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29"></iframe> 2. Click Update, and to trigger XSS payload, open URL path of course
Tri Wanda Septian
Tri Wanda Septian
Yes
2021-08-16 (about 9 months ago)
2021-08-16 (about 9 months ago)
2022-04-08 (about 1 months ago)