The Official Blog for LifterLMS Contributors

Security Update

This releases fixes a security issue affecting LifterLMS versions 4.21.1 and earlier:

• Thank you to Amirmohammad vakili for reporting an insecure direct object reference issue.

Updates

• Added the view_grades capability which is used to determine whether or not a user has the ability to view another user’s grades on the website’s frontend.

Bug fixes

• Fixed an issue causing PHP errors when attempting to access a quiz attempt that doesn’t exist.
• Fixed a localization issue encountered when entering transaction amounts on the admin panel.

• LifterLMS Blocks 2.0.0-beta.4
• Fix default reusable password field type from plain text to password
• Change the default reusable block post titles to reduce confusion when searching for blocks in the editor

• Reorganized new files into subdirectories.
• Added serverside password minimum length validation.
• Fix duplicate password strength meter output.
• Fix the user password field type from text to password
• Fix the phone number field type from text to tel
• Fix user state select field
• Don’t autoload field values from specified datastore when a “value” is explicitly passed to the field.
• Only load published reusable blocks on the frontend of the website
• Improved the UX for editing a users account by automatically “hiding” password and email fields and only requiring them to be submitted when users explicit request an update via the field’s “change” toggle button.

Security Update

This releases fixes two security issues affecting LifterLMS versions 4.21.0 and earlier:

• Thank you to Amirmohammad vakili for reporting a way to store XSS.
• Thank you to Ashish Jha from Bluefire Redteam for reporting a reflected XSS issue on checkout screens.