CVE-2020-35650

Name of the Vulnerable Software and Affected Versions Uncanny Groups for LearnDash versions prior to 3.7

Description Multiple cross-site scripting (XSS) vulnerabilities allow authenticated remote attackers to inject arbitrary JavaScript or HTML via various parameters. The affected parameters include ulgm code redeem in user-code-redemption.php, ulgm user first, ulgm user last, ulgm user email, ulgm code registration, and ulgm terms conditions in user-registration-form.php, ulgm total seats in frontend-uo groups buy courses.php, uncanny group signup user first, uncanny group signup user last, uncanny group signup user login, and uncanny group signup user email in group-registration-form.php, as well as success-invited, bulk-errors, and message GET Parameters in frontend-uo groups.php.

Recommendations To resolve the issue, update to version 3.7 or later. As a temporary workaround, consider restricting access to the affected parameters and files until the update is applied. Specifically, restrict the use of the ulgm code redeem, ulgm user first, ulgm user last, ulgm user email, ulgm code registration, ulgm terms conditions, ulgm total seats, uncanny group signup user first, uncanny group signup user last, uncanny group signup user login, and uncanny group signup user email parameters, as well as the success-invited, bulk-errors, and message GET Parameters in frontend-uo groups.php.