search

LearnPress / learnpress

LearnPress WordPress LMS Plugin by ThimPress
https://thimpress.com/learnpress
237 stars 139 forks source link

Cross Site Scripting issues in: FilterCourseElementor.php #562

Open YouGina opened 9 months ago

YouGina commented 9 months ago

The following lines are vulnerable to XSS:

https://github.com/LearnPress/learnpress/blob/2e7a0466e5015531cda92ddba8fae07d63c02f42/inc/ExternalPlugin/Elementor/Widgets/Course/FilterCourseElementor.php#L203

https://github.com/LearnPress/learnpress/blob/2e7a0466e5015531cda92ddba8fae07d63c02f42/inc/ExternalPlugin/Elementor/Widgets/Course/FilterCourseElementor.php#L210

https://github.com/LearnPress/learnpress/blob/2e7a0466e5015531cda92ddba8fae07d63c02f42/inc/ExternalPlugin/Elementor/Widgets/Course/FilterCourseElementor.php#L215-L219

https://github.com/LearnPress/learnpress/blob/2e7a0466e5015531cda92ddba8fae07d63c02f42/inc/ExternalPlugin/Elementor/Widgets/Course/FilterCourseElementor.php#L223-L227

https://github.com/LearnPress/learnpress/blob/2e7a0466e5015531cda92ddba8fae07d63c02f42/inc/ExternalPlugin/Elementor/Widgets/Course/FilterCourseElementor.php#L234

This code is disabled in the current version that is downloadable via wordpress.org, but enabled in the current development version. Would be great if this could be solved before going to production.

tungnxt89 commented 1 week ago

Hi YouGina,

Currently, we don't release this Widget. But on the code we'll fix it on v4.2.7.1

Thanks. Best Regard!