LearnPress – WordPress LMS Plugin - Version 4.1.3.2

Version Description

(2021-10-15) = ~ Fixed: security CVE-2021-39348, set sanitize for some params missing.

Download this release

Release Info

Developer ThimPress
Plugin Icon 128x128 LearnPress – WordPress LMS Plugin
Version 4.1.3.2
Comparing to
See all releases

Code changes from version 4.1.3.1 to 4.1.3.2

Files changed (19) hide show
  1. inc/admin/meta-box/class-lp-meta-box-helper.php +6 -2
  2. inc/admin/views/backend-user-profile.php +1 -1
  3. inc/admin/views/meta-boxes/fields/extra-faq.php +1 -1
  4. inc/admin/views/meta-boxes/fields/extra.php +1 -1
  5. inc/admin/views/meta-boxes/fields/select.php +7 -3
  6. inc/admin/views/meta-boxes/fields/text.php +1 -1
  7. inc/admin/views/meta-boxes/fields/wysiwyg.php +1 -1
  8. inc/admin/views/meta-boxes/lp-meta-box-functions.php +10 -10
  9. inc/class-lp-checkout.php +8 -8
  10. inc/class-lp-forms-handler.php +15 -16
  11. inc/class-lp-helper.php +1 -1
  12. inc/custom-post-types/question.php +1 -1
  13. inc/user-item/class-lp-user-item-course.php +19 -17
  14. inc/user/lp-user-functions.php +5 -3
  15. learnpress.php +1 -1
  16. readme.txt +4 -1
  17. templates/checkout/account-register.php +2 -2
  18. templates/global/form-register.php +2 -2
  19. templates/profile/tabs/settings/basic-information.php +1 -1
inc/admin/meta-box/class-lp-meta-box-helper.php CHANGED
@@ -149,7 +149,7 @@ if ( ! class_exists( 'LP_Meta_Box_Helper' ) ) {
149
  $value = '1' === $raw_value || 'yes' === $raw_value ? 'yes' : 'no';
150
  break;
151
  case 'textarea':
152
- $value = wp_kses_post( trim( $raw_value ) );
153
  break;
154
  case 'multiselect':
155
  case 'multi_select_countries':
@@ -192,6 +192,9 @@ if ( ! class_exists( 'LP_Meta_Box_Helper' ) ) {
192
  $value[ $cfsort ] = $feilds;
193
  }
194
  }
 
 
 
195
  break;
196
 
197
  case 'image_advanced':
@@ -202,9 +205,10 @@ if ( ! class_exists( 'LP_Meta_Box_Helper' ) ) {
202
  break;
203
  case 'email-content':
204
  $value = ! empty( $raw_value ) ? $raw_value : array();
 
205
  break;
206
  default:
207
- $value = learnpress_clean( $raw_value );
208
  break;
209
  }
210
 
149
  $value = '1' === $raw_value || 'yes' === $raw_value ? 'yes' : 'no';
150
  break;
151
  case 'textarea':
152
+ $value = LP_Helper::sanitize_params_submitted( trim( $raw_value ), 'html' );
153
  break;
154
  case 'multiselect':
155
  case 'multi_select_countries':
192
  $value[ $cfsort ] = $feilds;
193
  }
194
  }
195
+
196
+ $value = LP_Helper::sanitize_params_submitted( $value );
197
+
198
  break;
199
 
200
  case 'image_advanced':
205
  break;
206
  case 'email-content':
207
  $value = ! empty( $raw_value ) ? $raw_value : array();
208
+ $value = LP_Helper::sanitize_params_submitted( $value, 'html' );
209
  break;
210
  default:
211
+ $value = LP_Helper::sanitize_params_submitted( $raw_value );
212
  break;
213
  }
214
 
inc/admin/views/backend-user-profile.php CHANGED
@@ -46,7 +46,7 @@ $custom_profile = lp_get_user_custom_register_fields( $user->ID );
46
  case 'url':
47
  case 'tel':
48
  ?>
49
- <input name="_lp_custom_register[<?php echo esc_attr( $field['id'] ); ?>]" type="<?php echo esc_attr( $field['type'] ); ?>" class="regular-text" value="<?php echo isset( $custom_profile[ $field['id'] ] ) ? $custom_profile[ $field['id'] ] : ''; ?>">
50
  <?php
51
  break;
52
  case 'textarea':
46
  case 'url':
47
  case 'tel':
48
  ?>
49
+ <input name="_lp_custom_register[<?php echo esc_attr( $field['id'] ); ?>]" type="<?php echo esc_attr( $field['type'] ); ?>" class="regular-text" value="<?php echo esc_attr( $custom_profile[ $field['id'] ] ?? '' ); ?>">
50
  <?php
51
  break;
52
  case 'textarea':
inc/admin/views/meta-boxes/fields/extra-faq.php CHANGED
@@ -35,7 +35,7 @@ class LP_Meta_Box_Extra_Faq_Field extends LP_Meta_Box_Field {
35
  <div class="lp_course_faq_meta_box__field">
36
  <label>
37
  <span><?php esc_attr_e( 'Title', 'learnpress' ); ?></span>
38
- <input type="text" name="_lp_faqs_question[]" value="<?php echo $faq[0]; ?>">
39
  </label>
40
  <label>
41
  <span><?php esc_attr_e( 'Content', 'learnpress' ); ?></span>
35
  <div class="lp_course_faq_meta_box__field">
36
  <label>
37
  <span><?php esc_attr_e( 'Title', 'learnpress' ); ?></span>
38
+ <input type="text" name="_lp_faqs_question[]" value="<?php echo esc_attr( $faq[0] ); ?>">
39
  </label>
40
  <label>
41
  <span><?php esc_attr_e( 'Content', 'learnpress' ); ?></span>
inc/admin/views/meta-boxes/fields/extra.php CHANGED
@@ -33,7 +33,7 @@ class LP_Meta_Box_Extra_Field extends LP_Meta_Box_Field {
33
  <?php foreach ( $fields as $field ) : ?>
34
  <div class="lp_course_extra_meta_box__field">
35
  <span class="sort"></span>
36
- <input name="<?php echo esc_attr( $this->id ); ?>[]" value="<?php echo $field; ?>" type="text" class="lp_course_extra_meta_box__input">
37
  <a href="#" class="delete"></a>
38
  </div>
39
  <?php endforeach; ?>
33
  <?php foreach ( $fields as $field ) : ?>
34
  <div class="lp_course_extra_meta_box__field">
35
  <span class="sort"></span>
36
+ <input name="<?php echo esc_attr( $this->id ); ?>[]" value="<?php echo esc_attr( $field ); ?>" type="text" class="lp_course_extra_meta_box__input">
37
  <a href="#" class="delete"></a>
38
  </div>
39
  <?php endforeach; ?>
inc/admin/views/meta-boxes/fields/select.php CHANGED
@@ -99,7 +99,11 @@ class LP_Meta_Box_Select_Field extends LP_Meta_Box_Field {
99
  }
100
 
101
  public function save( $post_id ) {
102
- $value = ! empty( $_POST[ $this->id ] ) ? wp_unslash( $_POST[ $this->id ] ) : '';
 
 
 
 
103
 
104
  $multil_meta = isset( $this->extra['multil_meta'] ) ? $this->extra['multil_meta'] : false;
105
 
@@ -114,11 +118,11 @@ class LP_Meta_Box_Select_Field extends LP_Meta_Box_Field {
114
  $new_val = array_diff( $array_new_values, $array_get_values );
115
 
116
  foreach ( $del_val as $level_id ) {
117
- delete_post_meta( $post_id, '_lp_co_teacher', $level_id );
118
  }
119
 
120
  foreach ( $new_val as $level_id ) {
121
- add_post_meta( $post_id, '_lp_co_teacher', $level_id, false );
122
  }
123
  } else {
124
  update_post_meta( $post_id, $this->id, $value );
99
  }
100
 
101
  public function save( $post_id ) {
102
+ if ( ! isset( $_POST[ $this->id ] ) ) {
103
+ return;
104
+ }
105
+
106
+ $value = LP_Helper::sanitize_params_submitted( $_POST[ $this->id ] );
107
 
108
  $multil_meta = isset( $this->extra['multil_meta'] ) ? $this->extra['multil_meta'] : false;
109
 
118
  $new_val = array_diff( $array_new_values, $array_get_values );
119
 
120
  foreach ( $del_val as $level_id ) {
121
+ delete_post_meta( $post_id, $this->id, $level_id );
122
  }
123
 
124
  foreach ( $new_val as $level_id ) {
125
+ add_post_meta( $post_id, $this->id, $level_id, false );
126
  }
127
  } else {
128
  update_post_meta( $post_id, $this->id, $value );
inc/admin/views/meta-boxes/fields/text.php CHANGED
@@ -35,7 +35,7 @@ class LP_Meta_Box_Text_Field extends LP_Meta_Box_Field {
35
 
36
  $meta = $this->meta_value( $thepostid );
37
  $value = ! $meta && ! empty( $this->default ) ? $this->default : $meta;
38
- $value = isset( $extra['value'] ) ? $extra['value'] : $value;
39
  $type_input = $extra['type_input'] ?? 'text';
40
  $desc_tip = $extra['desc_tip'] ?? '';
41
 
35
 
36
  $meta = $this->meta_value( $thepostid );
37
  $value = ! $meta && ! empty( $this->default ) ? $this->default : $meta;
38
+ $value = esc_attr( $extra['value'] ?? $value );
39
  $type_input = $extra['type_input'] ?? 'text';
40
  $desc_tip = $extra['desc_tip'] ?? '';
41
 
inc/admin/views/meta-boxes/fields/wysiwyg.php CHANGED
@@ -34,7 +34,7 @@ class LP_Meta_Box_WP_Editor_Field extends LP_Meta_Box_Field {
34
 
35
  $meta = $this->meta_value( $thepostid );
36
  $value = ! $meta && ! empty( $this->default ) ? $this->default : $meta;
37
- $value = isset( $extra['value'] ) ? $extra['value'] : $value;
38
  $desc_tip = $extra['desc_tip'] ?? '';
39
 
40
  echo '<div class="lp-meta-box__wp-editor form-field ' . $this->id . '_field ' . $wrapper_class . '">
34
 
35
  $meta = $this->meta_value( $thepostid );
36
  $value = ! $meta && ! empty( $this->default ) ? $this->default : $meta;
37
+ $value = $extra['value'] ?? $value;
38
  $desc_tip = $extra['desc_tip'] ?? '';
39
 
40
  echo '<div class="lp-meta-box__wp-editor form-field ' . $this->id . '_field ' . $wrapper_class . '">
inc/admin/views/meta-boxes/lp-meta-box-functions.php CHANGED
@@ -472,9 +472,9 @@ function lp_metabox_custom_fields( $field, $values, $key ) {
472
  ?>
473
  <td>
474
  <input name="<?php echo esc_attr( $name ); ?>" type="<?php echo $val['type']; ?>"
475
- class="input-text"
476
- placeholder="<?php echo isset( $val['placeholder'] ) ? $val['placeholder'] : ''; ?>"
477
- value="<?php echo ! empty( $values[ $cfk ] ) ? $values[ $cfk ] : ''; ?>">
478
  </td>
479
  <?php
480
  break;
@@ -488,13 +488,13 @@ function lp_metabox_custom_fields( $field, $values, $key ) {
488
  foreach ( $val['options'] as $cfks => $cfselect ) {
489
  ?>
490
  <option
491
- value="<?php echo $cfks; ?>"
492
- <?php
493
- echo ! empty( $values[ $cfk ] ) ? selected(
494
- $values[ $cfk ],
495
- (string) $cfks
496
- ) : '';
497
- ?>
498
  ><?php echo $cfselect; ?></option>
499
  <?php
500
  }
472
  ?>
473
  <td>
474
  <input name="<?php echo esc_attr( $name ); ?>" type="<?php echo $val['type']; ?>"
475
+ class="input-text"
476
+ placeholder="<?php echo isset( $val['placeholder'] ) ? esc_attr( $val['placeholder'] ) : ''; ?>"
477
+ value="<?php echo ! empty( $values[ $cfk ] ) ? esc_attr( $values[ $cfk ] ) : ''; ?>">
478
  </td>
479
  <?php
480
  break;
488
  foreach ( $val['options'] as $cfks => $cfselect ) {
489
  ?>
490
  <option
491
+ value="<?php echo esc_attr( $cfks ); ?>"
492
+ <?php
493
+ echo ! empty( $values[ $cfk ] ) ? selected(
494
+ $values[ $cfk ],
495
+ (string) $cfks
496
+ ) : '';
497
+ ?>
498
  ><?php echo $cfselect; ?></option>
499
  <?php
500
  }
inc/class-lp-checkout.php CHANGED
@@ -194,18 +194,18 @@ class LP_Checkout {
194
  $default_fields = array();
195
 
196
  if ( isset( $_POST['reg_first_name'] ) ) {
197
- $default_fields['first_name'] = $_POST['reg_first_name'];
198
  }
199
 
200
  if ( isset( $_POST['reg_last_name'] ) ) {
201
- $default_fields['last_name'] = $_POST['reg_last_name'];
202
  }
203
 
204
  if ( isset( $_POST['reg_display_name'] ) ) {
205
- $default_fields['display_name'] = $_POST['reg_display_name'];
206
  }
207
 
208
- $update_meta = isset( $_POST['_lp_custom_register_form'] ) ? $_POST['_lp_custom_register_form'] : array();
209
 
210
  $user_id = LP_Forms_Handler::learnpress_create_new_customer(
211
  $this->checkout_form_data['reg_email'],
@@ -508,7 +508,7 @@ class LP_Checkout {
508
  }
509
  }
510
 
511
- $this->checkout_form_data[ $name ] = $_POST[ $name ];
512
 
513
  break;
514
  case 'checkout-login':
@@ -526,7 +526,7 @@ class LP_Checkout {
526
  }
527
  }
528
 
529
- $this->checkout_form_data[ $name ] = $_POST[ $name ];
530
  break;
531
  case 'guest-checkout':
532
  if ( empty( $_POST['guest_email'] ) ) {
@@ -535,8 +535,8 @@ class LP_Checkout {
535
  return new WP_Error( 'email_invalid', __( 'Your email is not a valid.', 'learnpress' ) );
536
  }
537
 
538
- $this->guest_email = $_POST[ $name ];
539
- $this->_checkout_email = $_POST[ $name ];
540
  }
541
 
542
  return $validate;
194
  $default_fields = array();
195
 
196
  if ( isset( $_POST['reg_first_name'] ) ) {
197
+ $default_fields['first_name'] = LP_Helper::sanitize_params_submitted( $_POST['reg_first_name'] );
198
  }
199
 
200
  if ( isset( $_POST['reg_last_name'] ) ) {
201
+ $default_fields['last_name'] = LP_Helper::sanitize_params_submitted( $_POST['reg_last_name'] );
202
  }
203
 
204
  if ( isset( $_POST['reg_display_name'] ) ) {
205
+ $default_fields['display_name'] = LP_Helper::sanitize_params_submitted( $_POST['reg_display_name'] );
206
  }
207
 
208
+ $update_meta = isset( $_POST['_lp_custom_register_form'] ) ? LP_Helper::sanitize_params_submitted( $_POST['_lp_custom_register_form'] ) : array();
209
 
210
  $user_id = LP_Forms_Handler::learnpress_create_new_customer(
211
  $this->checkout_form_data['reg_email'],
508
  }
509
  }
510
 
511
+ $this->checkout_form_data[ $name ] = LP_Helper::maybe_unserialize( $_POST[ $name ] );
512
 
513
  break;
514
  case 'checkout-login':
526
  }
527
  }
528
 
529
+ $this->checkout_form_data[ $name ] = LP_Helper::maybe_unserialize( $_POST[ $name ] );
530
  break;
531
  case 'guest-checkout':
532
  if ( empty( $_POST['guest_email'] ) ) {
535
  return new WP_Error( 'email_invalid', __( 'Your email is not a valid.', 'learnpress' ) );
536
  }
537
 
538
+ $this->guest_email = LP_Helper::maybe_unserialize( $_POST[ $name ] );
539
+ $this->_checkout_email = LP_Helper::maybe_unserialize( $_POST[ $name ] );
540
  }
541
 
542
  return $validate;
inc/class-lp-forms-handler.php CHANGED
@@ -14,10 +14,10 @@ class LP_Forms_Handler {
14
  */
15
  public static function process_become_teacher() {
16
  $args = array(
17
- 'bat_name' => isset( $_POST['bat_name'] ) ? wp_unslash( $_POST['bat_name'] ) : '',
18
- 'bat_email' => isset( $_POST['bat_email'] ) ? wp_unslash( $_POST['bat_email'] ) : '',
19
- 'bat_phone' => isset( $_POST['bat_phone'] ) ? wp_unslash( $_POST['bat_phone'] ) : '',
20
- 'bat_message' => isset( $_POST['bat_message'] ) ? wp_unslash( $_POST['bat_message'] ) : '',
21
  );
22
 
23
  $result = array(
@@ -72,7 +72,7 @@ class LP_Forms_Handler {
72
 
73
  if ( isset( $_POST['username'], $_POST['password'] ) ) {
74
  try {
75
- $username = trim( wp_unslash( $_POST['username'] ) );
76
  $password = $_POST['password'];
77
  $remember = LP_Request::get_string( 'rememberme' );
78
 
@@ -132,14 +132,14 @@ class LP_Forms_Handler {
132
  return;
133
  }
134
 
135
- $username = isset( $_POST['reg_username'] ) ? wp_unslash( $_POST['reg_username'] ) : '';
136
- $email = isset( $_POST['reg_email'] ) ? wp_unslash( $_POST['reg_email'] ) : '';
137
- $password = isset( $_POST['reg_password'] ) ? wp_unslash( $_POST['reg_password'] ) : '';
138
- $confirm_password = isset( $_POST['reg_password2'] ) ? wp_unslash( $_POST['reg_password2'] ) : '';
139
- $first_name = isset( $_POST['reg_first_name'] ) ? wp_unslash( $_POST['reg_first_name'] ) : '';
140
- $last_name = isset( $_POST['reg_last_name'] ) ? wp_unslash( $_POST['reg_last_name'] ) : '';
141
- $display_name = isset( $_POST['reg_display_name'] ) ? wp_unslash( $_POST['reg_display_name'] ) : '';
142
- $update_meta = isset( $_POST['_lp_custom_register_form'] ) ? wp_unslash( $_POST['_lp_custom_register_form'] ) : array();
143
 
144
  try {
145
  $new_customer = self::learnpress_create_new_customer(
@@ -157,6 +157,8 @@ class LP_Forms_Handler {
157
 
158
  if ( is_wp_error( $new_customer ) ) {
159
  throw new Exception( $new_customer->get_error_message() );
 
 
160
  }
161
 
162
  // Send email become a teacher.
@@ -261,9 +263,6 @@ class LP_Forms_Handler {
261
 
262
  if ( $custom_fields && ! empty( $update_meta ) ) {
263
  foreach ( $custom_fields as $field ) {
264
- if ( ! isset( $field['id'] ) ) {
265
- return new WP_Error( 'registration-custom-exists', __( 'Please go to LearnPress > Settings and save again.', 'learnpress' ) );
266
- }
267
  if ( $field['required'] === 'yes' && empty( $update_meta[ $field['id'] ] ) ) {
268
  return new WP_Error( 'registration-custom-exists', $field['name'] . __( ' is required field.', 'learnpress' ) );
269
  }
14
  */
15
  public static function process_become_teacher() {
16
  $args = array(
17
+ 'bat_name' => isset( $_POST['bat_name'] ) ? LP_Helper::sanitize_params_submitted( $_POST['bat_name'] ) : '',
18
+ 'bat_email' => isset( $_POST['bat_email'] ) ? LP_Helper::sanitize_params_submitted( $_POST['bat_email'] ) : '',
19
+ 'bat_phone' => isset( $_POST['bat_phone'] ) ? LP_Helper::sanitize_params_submitted( $_POST['bat_phone'] ) : '',
20
+ 'bat_message' => isset( $_POST['bat_message'] ) ? LP_Helper::sanitize_params_submitted( $_POST['bat_message'] ) : '',
21
  );
22
 
23
  $result = array(
72
 
73
  if ( isset( $_POST['username'], $_POST['password'] ) ) {
74
  try {
75
+ $username = trim( LP_Helper::sanitize_params_submitted( $_POST['username'] ) );
76
  $password = $_POST['password'];
77
  $remember = LP_Request::get_string( 'rememberme' );
78
 
132
  return;
133
  }
134
 
135
+ $username = isset( $_POST['reg_username'] ) ? LP_Helper::sanitize_params_submitted( $_POST['reg_username'] ) : '';
136
+ $email = isset( $_POST['reg_email'] ) ? LP_Helper::sanitize_params_submitted( $_POST['reg_email'] ) : '';
137
+ $password = $_POST['reg_password'] ?? '';
138
+ $confirm_password = $_POST['reg_password2'] ?? '';
139
+ $first_name = isset( $_POST['reg_first_name'] ) ? LP_Helper::sanitize_params_submitted( $_POST['reg_first_name'] ) : '';
140
+ $last_name = isset( $_POST['reg_last_name'] ) ? LP_Helper::sanitize_params_submitted( $_POST['reg_last_name'] ) : '';
141
+ $display_name = isset( $_POST['reg_display_name'] ) ? LP_Helper::sanitize_params_submitted( $_POST['reg_display_name'] ) : '';
142
+ $update_meta = isset( $_POST['_lp_custom_register_form'] ) ? LP_Helper::sanitize_params_submitted( $_POST['_lp_custom_register_form'] ) : array();
143
 
144
  try {
145
  $new_customer = self::learnpress_create_new_customer(
157
 
158
  if ( is_wp_error( $new_customer ) ) {
159
  throw new Exception( $new_customer->get_error_message() );
160
+ } else {
161
+ wp_new_user_notification( $new_customer );
162
  }
163
 
164
  // Send email become a teacher.
263
 
264
  if ( $custom_fields && ! empty( $update_meta ) ) {
265
  foreach ( $custom_fields as $field ) {
 
 
 
266
  if ( $field['required'] === 'yes' && empty( $update_meta[ $field['id'] ] ) ) {
267
  return new WP_Error( 'registration-custom-exists', $field['name'] . __( ' is required field.', 'learnpress' ) );
268
  }
inc/class-lp-helper.php CHANGED
@@ -449,7 +449,7 @@ class LP_Helper {
449
  $value = sanitize_key( $value );
450
  break;
451
  default:
452
- $value = sanitize_text_field( wp_unslash( $value ) );
453
  }
454
  } elseif ( is_array( $value ) ) {
455
  foreach ( $value as $k => $v ) {
449
  $value = sanitize_key( $value );
450
  break;
451
  default:
452
+ $value = sanitize_text_field( $value );
453
  }
454
  } elseif ( is_array( $value ) ) {
455
  foreach ( $value as $k => $v ) {
inc/custom-post-types/question.php CHANGED
@@ -284,7 +284,7 @@ if ( ! class_exists( 'LP_Question_Post_Type' ) ) {
284
  $types = array_keys( learn_press_question_types() );
285
  $question_type = reset( $types );
286
  } else {
287
- $question_type = $_REQUEST['question-type'];
288
  }
289
 
290
  update_post_meta( $question_id, '_lp_type', $question_type );
284
  $types = array_keys( learn_press_question_types() );
285
  $question_type = reset( $types );
286
  } else {
287
+ $question_type = LP_Helper::sanitize_params_submitted( $_REQUEST['question-type'] );
288
  }
289
 
290
  update_post_meta( $question_id, '_lp_type', $question_type );
inc/user-item/class-lp-user-item-course.php CHANGED
@@ -277,6 +277,9 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
277
  return $prop && $results && array_key_exists( $prop, $results ) ? $results[ $prop ] : $results;
278
  }
279
 
 
 
 
280
  public function calculate_course_results() {
281
  $course = $this->get_course();
282
 
@@ -284,11 +287,11 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
284
  return false;
285
  }
286
 
287
- $course_result = $course->get_evaluation_results_method();
288
 
289
  $this->load();
290
 
291
- switch ( $course_result ) {
292
  case 'evaluate_lesson':
293
  $results = $this->_evaluate_course_by_lesson();
294
  break;
@@ -310,8 +313,8 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
310
  break;
311
 
312
  default:
313
- $results = array();
314
- $results = apply_filters( 'learn-press/evaluate_passed_conditions', $results, $course_result, $this );
315
  }
316
 
317
  if ( ! is_array( $results ) ) {
@@ -337,14 +340,14 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
337
  ),
338
  'skipped_items' => $count_items - $completed_items,
339
  'status' => $this->get_status(),
340
- 'evaluate_type' => $course_result,
341
  ),
342
  $results
343
  );
344
 
345
  $graduation = '';
346
 
347
- if ( ! in_array( $this->get_status(), array( 'purchased', 'viewed' ) ) ) {
348
  $graduation = $this->is_finished() ? $this->_is_passed( $results['result'] ) : 'in-progress';
349
  }
350
 
@@ -586,7 +589,7 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
586
  * @return string
587
  */
588
  public function get_grade( string $context = 'display' ): string {
589
- $grade = $this->get_graduation();
590
 
591
  return $context == 'display' ? learn_press_course_grade_html( $grade, false ) : $grade;
592
  }
@@ -656,15 +659,9 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
656
  /**
657
  * Finish course for user
658
  *
659
- * @param bool $complete_items - Complete all items before finishing course.
660
- *
661
  * @return int
662
  */
663
- public function finish( $complete_items = false ) {
664
- if ( $complete_items ) {
665
- $this->complete_items();
666
- }
667
-
668
  $status = apply_filters(
669
  'learn-press/finish-course-status',
670
  'finished',
@@ -673,7 +670,7 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
673
  $this
674
  );
675
 
676
- $this->calculate_course_results();
677
 
678
  return parent::complete( $status );
679
  }
@@ -801,9 +798,14 @@ class LP_User_Item_Course extends LP_User_Item implements ArrayAccess {
801
  }*/
802
 
803
  protected function _is_passed( $result ) {
804
- $result = round( $result, 2 );
 
 
 
 
 
805
 
806
- return $result >= $this->get_passing_condition() ? 'passed' : 'failed';
807
  }
808
 
809
  /**
277
  return $prop && $results && array_key_exists( $prop, $results ) ? $results[ $prop ] : $results;
278
  }
279
 
280
+ /**
281
+ * @throws Exception
282
+ */
283
  public function calculate_course_results() {
284
  $course = $this->get_course();
285
 
287
  return false;
288
  }
289
 
290
+ $evaluate_type = $course->get_evaluation_results_method();
291
 
292
  $this->load();
293
 
294
+ switch ( $evaluate_type ) {
295
  case 'evaluate_lesson':
296
  $results = $this->_evaluate_course_by_lesson();
297
  break;
313
  break;
314
 
315
  default:
316
+ $results = [ 'result' => 0 ];
317
+ $results = apply_filters( 'learn-press/evaluate_passed_conditions', $results, $evaluate_type, $this );
318
  }
319
 
320
  if ( ! is_array( $results ) ) {
340
  ),
341
  'skipped_items' => $count_items - $completed_items,
342
  'status' => $this->get_status(),
343
+ 'evaluate_type' => $evaluate_type,
344
  ),
345
  $results
346
  );
347
 
348
  $graduation = '';
349
 
350
+ if ( ! $this->is_purchased() ) {
351
  $graduation = $this->is_finished() ? $this->_is_passed( $results['result'] ) : 'in-progress';
352
  }
353
 
589
  * @return string
590
  */
591
  public function get_grade( string $context = 'display' ): string {
592
+ $grade = $this->get_graduation() ?? '';
593
 
594
  return $context == 'display' ? learn_press_course_grade_html( $grade, false ) : $grade;
595
  }
659
  /**
660
  * Finish course for user
661
  *
 
 
662
  * @return int
663
  */
664
+ public function finish() {
 
 
 
 
665
  $status = apply_filters(
666
  'learn-press/finish-course-status',
667
  'finished',
670
  $this
671
  );
672
 
673
+ $results = $this->calculate_course_results();
674
 
675
  return parent::complete( $status );
676
  }
798
  }*/
799
 
800
  protected function _is_passed( $result ) {
801
+ $is_passed = LP_COURSE_GRADUATION_FAILED;
802
+ $result = round( $result, 2 );
803
+
804
+ if ( $result >= $this->get_passing_condition() ) {
805
+ $is_passed = LP_COURSE_GRADUATION_PASSED;
806
+ }
807
 
808
+ return apply_filters( 'learnpress/user/course/is-passed', $is_passed, $result );
809
  }
810
 
811
  /**
inc/user/lp-user-functions.php CHANGED
@@ -2237,18 +2237,20 @@ function learnpress_get_count_by_user( $user_id = '', $post_type = 'lp_course' )
2237
 
2238
  }
2239
 
2240
- add_action(
2241
  'admin_init',
2242
  function() {
2243
  $custom_fields = LP()->settings()->get( 'register_profile_fields' );
2244
 
 
 
2245
  if ( ! empty( $custom_fields ) ) {
2246
  $output = array();
2247
 
2248
  foreach ( $custom_fields as $key => $field ) {
2249
  if ( ! isset( $field['id'] ) ) {
2250
  $output[ $key ] = array(
2251
- 'id' => sanitize_key( $field['name'] ),
2252
  'name' => $field['name'] ?? '',
2253
  'type' => $field['type'] ?? '',
2254
  'required' => $field['required'] ?? '',
@@ -2261,4 +2263,4 @@ add_action(
2261
  update_option( 'learn_press_register_profile_fields', $output );
2262
  }
2263
  }
2264
- );
2237
 
2238
  }
2239
 
2240
+ /*add_action(
2241
  'admin_init',
2242
  function() {
2243
  $custom_fields = LP()->settings()->get( 'register_profile_fields' );
2244
 
2245
+ $custom_fields = LP_Helper::sanitize_params_submitted( $custom_fields );
2246
+
2247
  if ( ! empty( $custom_fields ) ) {
2248
  $output = array();
2249
 
2250
  foreach ( $custom_fields as $key => $field ) {
2251
  if ( ! isset( $field['id'] ) ) {
2252
  $output[ $key ] = array(
2253
+ 'id' => $field['name'],
2254
  'name' => $field['name'] ?? '',
2255
  'type' => $field['type'] ?? '',
2256
  'required' => $field['required'] ?? '',
2263
  update_option( 'learn_press_register_profile_fields', $output );
2264
  }
2265
  }
2266
+ );*/
learnpress.php CHANGED
@@ -4,7 +4,7 @@
4
  * Plugin URI: http://thimpress.com/learnpress
5
  * Description: LearnPress is a WordPress complete solution for creating a Learning Management System (LMS). It can help you to create courses, lessons and quizzes.
6
  * Author: ThimPress
7
- * Version: 4.1.3.1
8
  * Author URI: http://thimpress.com
9
  * Requires at least: 5.6
10
  * Tested up to: 5.8
4
  * Plugin URI: http://thimpress.com/learnpress
5
  * Description: LearnPress is a WordPress complete solution for creating a Learning Management System (LMS). It can help you to create courses, lessons and quizzes.
6
  * Author: ThimPress
7
+ * Version: 4.1.3.2
8
  * Author URI: http://thimpress.com
9
  * Requires at least: 5.6
10
  * Tested up to: 5.8
readme.txt CHANGED
@@ -5,7 +5,7 @@ Tags: elearning, education, course, lms, learning management system
5
  Requires at least: 5.6
6
  Tested up to: 5.8
7
  Requires PHP: 7.0
8
- Stable tag: 4.1.3.1
9
  License: GPLv2 or later
10
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
11
 
@@ -197,6 +197,9 @@ https://www.transifex.com/projects/p/learnpress/
197
 
198
  == Changelog ==
199
 
 
 
 
200
  = 4.1.3.1 (2021-09-15) =
201
  ~ Fixed: some shortcode of latex show incorrect on question answer.
202
  ~ Added: hooks for course_continue_button, course_purchase_button, course_enroll_button.
5
  Requires at least: 5.6
6
  Tested up to: 5.8
7
  Requires PHP: 7.0
8
+ Stable tag: 4.1.3.2
9
  License: GPLv2 or later
10
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
11
 
197
 
198
  == Changelog ==
199
 
200
+ = 4.1.3.2 (2021-10-15) =
201
+ ~ Fixed: security CVE-2021-39348, set sanitize for some params missing.
202
+
203
  = 4.1.3.1 (2021-09-15) =
204
  ~ Fixed: some shortcode of latex show incorrect on question answer.
205
  ~ Added: hooks for course_continue_button, course_purchase_button, course_enroll_button.
templates/checkout/account-register.php CHANGED
@@ -22,11 +22,11 @@ defined( 'ABSPATH' ) || exit();
22
 
23
  <li class="form-field">
24
  <label for="reg_email"><?php esc_html_e( 'Email address', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
25
- <input id ="reg_email" name="reg_email" type="text" placeholder="<?php esc_attr_e( 'Email', 'learnpress' ); ?>" autocomplete="email" value="<?php echo ( ! empty( $_POST['reg_email'] ) ) ? esc_attr( wp_unslash( $_POST['reg_email'] ) ) : ''; ?>">
26
  </li>
27
  <li class="form-field">
28
  <label for="reg_username"><?php esc_html_e( 'Username', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
29
- <input id ="reg_username" name="reg_username" type="text" placeholder="<?php esc_attr_e( 'Username', 'learnpress' ); ?>" autocomplete="username" value="<?php echo ( ! empty( $_POST['reg_username'] ) ) ? esc_attr( wp_unslash( $_POST['reg_username'] ) ) : ''; ?>">
30
  </li>
31
  <li class="form-field">
32
  <label for="reg_password"><?php esc_html_e( 'Password', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
22
 
23
  <li class="form-field">
24
  <label for="reg_email"><?php esc_html_e( 'Email address', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
25
+ <input id ="reg_email" name="reg_email" type="text" placeholder="<?php esc_attr_e( 'Email', 'learnpress' ); ?>" autocomplete="email" value="<?php echo ( ! empty( $_POST['reg_email'] ) ) ? esc_attr( LP_Helper::sanitize_params_submitted( $_POST['reg_email'] ) ) : ''; ?>">
26
  </li>
27
  <li class="form-field">
28
  <label for="reg_username"><?php esc_html_e( 'Username', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
29
+ <input id ="reg_username" name="reg_username" type="text" placeholder="<?php esc_attr_e( 'Username', 'learnpress' ); ?>" autocomplete="username" value="<?php echo ( ! empty( $_POST['reg_username'] ) ) ? esc_attr( LP_Helper::sanitize_params_submitted( $_POST['reg_username'] ) ) : ''; ?>">
30
  </li>
31
  <li class="form-field">
32
  <label for="reg_password"><?php esc_html_e( 'Password', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
templates/global/form-register.php CHANGED
@@ -26,11 +26,11 @@ defined( 'ABSPATH' ) || exit();
26
 
27
  <li class="form-field">
28
  <label for="reg_email"><?php esc_html_e( 'Email address', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
29
- <input id ="reg_email" name="reg_email" type="text" placeholder="<?php esc_attr_e( 'Email', 'learnpress' ); ?>" autocomplete="email" value="<?php echo ( ! empty( $_POST['reg_email'] ) ) ? esc_attr( wp_unslash( $_POST['reg_email'] ) ) : ''; ?>">
30
  </li>
31
  <li class="form-field">
32
  <label for="reg_username"><?php esc_html_e( 'Username', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
33
- <input id ="reg_username" name="reg_username" type="text" placeholder="<?php esc_attr_e( 'Username', 'learnpress' ); ?>" autocomplete="username" value="<?php echo ( ! empty( $_POST['reg_username'] ) ) ? esc_attr( wp_unslash( $_POST['reg_username'] ) ) : ''; ?>">
34
  </li>
35
  <li class="form-field">
36
  <label for="reg_password"><?php esc_html_e( 'Password', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
26
 
27
  <li class="form-field">
28
  <label for="reg_email"><?php esc_html_e( 'Email address', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
29
+ <input id ="reg_email" name="reg_email" type="text" placeholder="<?php esc_attr_e( 'Email', 'learnpress' ); ?>" autocomplete="email" value="<?php echo ( ! empty( $_POST['reg_email'] ) ) ? esc_attr( LP_Helper::sanitize_params_submitted( $_POST['reg_email'] ) ) : ''; ?>">
30
  </li>
31
  <li class="form-field">
32
  <label for="reg_username"><?php esc_html_e( 'Username', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
33
+ <input id ="reg_username" name="reg_username" type="text" placeholder="<?php esc_attr_e( 'Username', 'learnpress' ); ?>" autocomplete="username" value="<?php echo ( ! empty( $_POST['reg_username'] ) ) ? esc_attr( LP_Helper::sanitize_params_submitted( $_POST['reg_username'] ) ) : ''; ?>">
34
  </li>
35
  <li class="form-field">
36
  <label for="reg_password"><?php esc_html_e( 'Password', 'learnpress' ); ?>&nbsp;<span class="required">*</span></label>
templates/profile/tabs/settings/basic-information.php CHANGED
@@ -79,7 +79,7 @@ $user = $profile->get_user();
79
  case 'tel':
80
  ?>
81
  <label for="description"><?php echo esc_html( $field['name'] ); ?></label>
82
- <input name="_lp_custom_register[<?php echo esc_attr( $field['id'] ); ?>]" type="<?php echo esc_attr( $field['type'] ); ?>" class="regular-text" value="<?php echo isset( $custom_profile[ $field['id'] ] ) ? $custom_profile[ $field['id'] ] : ''; ?>">
83
  <?php
84
  break;
85
  case 'textarea':
79
  case 'tel':
80
  ?>
81
  <label for="description"><?php echo esc_html( $field['name'] ); ?></label>
82
+ <input name="_lp_custom_register[<?php echo esc_attr( $field['id'] ); ?>]" type="<?php echo esc_attr( $field['type'] ); ?>" class="regular-text" value="<?php echo esc_attr( $custom_profile[ $field['id'] ] ?? '' ); ?>">
83
  <?php
84
  break;
85
  case 'textarea':