Skip to content

Security Issue Fixes for 3.9.4 #2255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Anindra123 wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

Security Issue Fixes for 3.9.4 #2255

Anindra123 wants to merge 3 commits into from
+15 −11

Conversation

@Anindra123
Copy link
Collaborator

@Anindra123 Anindra123 commented Dec 2, 2025
edited
Loading

Security Issue Fix for 3.9.4

Issue 1

  • Inside CouponController class for both ajax method bulk_action_handler and coupon_permanent_delete there is a check for user capability however the error message is not returned, the method tutor_utils()->error_message() is called but not returned thus it is not returning from the methods

  • To fix this i have use the method tutor_utils()->check_current_user_capability() which correctly checks user capability and returns a json error if unauthorized.

Issue 2

  • On the pay_now action which is called during checkout you can inject SQL on the coupon_code argument when passing the form data during checkout

  • This in-turn runs a SQL query when trying to query the data of the coupon code by calling the get_coupon method inside CouponModel class

  • This calls the QueryHelper::get_row method which takes a where clause, and when preparing the where clause the malicious SQL code gets added.

  • To fix this i have put coupon_code inside an esc_sql inside get_coupon_details_for_checkout method which calls the get_coupon method and passes the coupon_code

Issue 3

  • On the tutor_order_details action the method it calls has nonce check but no capability check

  • After looking over everything this action was called i have found out that it is only used for admin users not any other users

  • So to fix it i added tutor_utils()->check_current_user_capability() method so that only admin can view the order details

Issue 4

  • On mark_course_complete() method no check was provided whether user is enrolled, allowing any user to mark course as complete even if it is paid course

  • To fix it added a check if user is enrolled using tutor_utils()->is_enrolled(), if not then exit from the function

Issue 5

  • On course_enrollment() method there is no check if the course is purchasable allowing user to enroll in course with ajax call.

  • To fix this i added the tutor_utils()->is_course_purchasable() check to check if user is need to purchase the course before enrollment

@Anindra123 Anindra123 requested a review from shewa12 December 2, 2025 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shewa12 shewa12 Awaiting requested review from shewa12

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

3.9.4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Anindra123