The plugin does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
When adding new courses, the following fields can have XSS payloads like "><script>alert(1)</script> injected into them:
- Course Settings > General > External Link field
- Course Settings > Extra Information > Requirements field
- Course Settings > Extra Information > Target Audience field
- Course Settings > Extra Information > Key Features field
- Course Settings > Extra Information > FAQ Title field