The plugin does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
When adding new courses, the following fields can have XSS payloads like "> injected into them: - Course Settings > General > External Link field - Course Settings > Extra Information > Requirements field - Course Settings > Extra Information > Target Audience field - Course Settings > Extra Information > Key Features field - Course Settings > Extra Information > FAQ Title field