The plugin does not sanitise and escape Course’s module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
On the Learning Management page (/wp-admin/admin.php?page=cluevo-lms), click Add Course, then put the following payload in the Insert Module field and click on the Save button: "><script>alert(/XSS/)</script>