On March 18th, Signal Labs shared a vulnerability report with 5 security issues.
There were XSS vulnerabilities, which have been fixed by this PR.
TPDF and assignment downloads with missing permission checks that could be exploited. These are fixed in this PR and others in the affected add ons.
An unlimited number of assignment files could be uploaded by directly posting to the end points. This has been fixed in a PR to the affected assignments add on.
The my-grades endpoint was vulnerable to SQL injections which could be used for DDOS attacks. This has been fixed in this PR.
Description
On March 18th, Signal Labs shared a vulnerability report with 5 security issues.
A fifth issue around nonces being used more than once was reported back to Signal Labs as "will not fix". This is a known issue with WordPress nonces. More information can be found here: https://developer.wordpress.org/news/2023/08/01/understand-and-use-wordpress-nonces-properly/
We don't feel the need currently to implement "true" one-time-use nonces for any of the form submissions or actions managed by the LifterLMS codebase.
Thanks again to Signal Labs for the responsible disclosure of these issues.
How has this been tested?
Manually and some unit testing.
Checklist:
npm run dev changelog add -- -i
and follow the prompt. See also: https://github.com/gocodebox/lifterlms/blob/trunk/packages/dev/README.md#changelog-add -->