Merge pull request #2270 from themeum/dev

3.9.4

Author: shewa12

assets/react/v3/entries/coupon-details/components/coupon/CouponInfo.tsx

@@ -150,6 +150,8 @@ const styles = {
     position: absolute;
     right: ${spacing[0]};
     top: ${spacing[0]};
+    min-height: auto;
+    padding-inline: ${spacing[4]};
 
     &:hover,
     &:active,

assets/react/v3/entries/order-details/components/order/PaymentBadge.tsx

@@ -8,8 +8,9 @@ const badgeMap: Record<PaymentStatus, { label: string; type: Variant }> = {
   'partially-refunded': { label: __('Partially refunded', 'tutor'), type: 'secondary' },
   refunded: { label: __('Refunded', 'tutor'), type: 'critical' },
   unpaid: { label: __('Unpaid', 'tutor'), type: 'warning' },
+  pending: { label: __('Pending', 'tutor'), type: 'warning' },
 };
 
 export function PaymentBadge({ status }: { status: PaymentStatus }) {
-  return <TutorBadge variant={badgeMap[status].type}>{badgeMap[status].label}</TutorBadge>;
+  return <TutorBadge variant={badgeMap[status]?.type ?? 'secondary'}>{badgeMap[status]?.label ?? status}</TutorBadge>;
 }

assets/react/v3/entries/order-details/services/order.ts

@@ -41,7 +41,7 @@ interface OrderCoursePlan extends OrderSummary {
 export type OrderSummaryItem = Prettify<OrderCourse | OrderBundle | OrderCoursePlan>;
 
 export type DiscountType = 'flat' | 'percentage';
-export type PaymentStatus = 'paid' | 'unpaid' | 'failed' | 'partially-refunded' | 'refunded';
+export type PaymentStatus = 'pending' | 'paid' | 'unpaid' | 'failed' | 'partially-refunded' | 'refunded';
 export type OrderStatus = 'incomplete' | 'completed' | 'cancelled' | 'trash';
 export type ActivityType =
   | 'order-placed'

classes/Course.php

@@ -2119,12 +2119,17 @@ public function mark_course_complete() {
 			die( esc_html__( 'Please Sign-In', 'tutor' ) );
 		}
 
+		if ( ! tutor_utils()->is_enrolled( $course_id, $user_id ) ) {
+			die( esc_html__( 'User is not enrolled in course', 'tutor' ) );
+		}
+
 		/**
 		 * Filter hook provided to restrict course completion. This is useful
 		 * for specific cases like prerequisites. WP_Error should be returned
 		 * from the filter value to prevent the completion.
 		 */
 		$can_complete = apply_filters( 'tutor_user_can_complete_course', true, $user_id, $course_id );
+
 		if ( is_wp_error( $can_complete ) ) {
 			tutor_utils()->redirect_to( $permalink, $can_complete->get_error_message(), 'error' );
 		} else {
@@ -2992,6 +2997,25 @@ public function course_enrollment() {
 			if ( $password_protected ) {
 				wp_send_json_error( __( 'This course is password protected', 'tutor' ) );
 			}
+
+			/**
+			 * This check was added to address a security issue where users could
+			 * enroll in a course via an AJAX call without purchasing it.
+			 *
+			 * To prevent this, we now verify whether the course is paid.
+			 * Additionally, we check if the user is already enrolled, since
+			 * Tutor's default behavior enrolls users automatically upon purchase.
+			 *
+			 * @since 3.9.4
+			 */
+			if ( tutor_utils()->is_course_purchasable( $course_id ) ) {
+				$is_enrolled = (bool) tutor_utils()->is_enrolled( $course_id, $user_id );
+
+				if ( ! $is_enrolled ) {
+					wp_send_json_error( __( 'Please purchase the course before enrolling', 'tutor' ) );
+				}
+			}
+
 			$enroll = tutor_utils()->do_enroll( $course_id, 0, $user_id );
 			if ( $enroll ) {
 				wp_send_json_success( __( 'Enrollment successfully done!', 'tutor' ) );

classes/Quiz.php

@@ -283,6 +283,12 @@ public function tutor_instructor_feedback() {
 		$attempt_details = self::attempt_details( Input::post( 'attempt_id', 0, Input::TYPE_INT ) );
 		$feedback        = Input::post( 'feedback', '', Input::TYPE_KSES_POST );
 		$attempt_info    = isset( $attempt_details->attempt_info ) ? $attempt_details->attempt_info : false;
+		$course_id       = tutor_utils()->avalue_dot( 'course_id', $attempt_info, 0 );
+
+		if ( ! tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id ) ) {
+			wp_send_json_error( tutor_utils()->error_message() );
+		}
+
 		if ( $attempt_info ) {
 			//phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize
 			$unserialized = unserialize( $attempt_details->attempt_info );

ecommerce/CouponController.php

@@ -577,10 +577,7 @@ public function get_coupons( $limit = 10, $offset = 0 ) {
 	 */
 	public function bulk_action_handler() {
 		tutor_utils()->checking_nonce();
-
-		if ( ! current_user_can( 'manage_options' ) ) {
-			tutor_utils()->error_message();
-		}
+		tutor_utils()->check_current_user_capability();
 
 		// Get and sanitize input data.
 		$request     = Input::sanitize_array( $_POST ); //phpcs:ignore --sanitized already
@@ -630,9 +627,7 @@ public function bulk_action_handler() {
 	public function coupon_permanent_delete() {
 		tutor_utils()->checking_nonce();
 
-		if ( ! current_user_can( 'manage_options' ) ) {
-			tutor_utils()->error_message();
-		}
+		tutor_utils()->check_current_user_capability();
 
 		// Get and sanitize input data.
 		$id = Input::post( 'id', 0, Input::TYPE_INT );

ecommerce/OrderController.php

@@ -84,7 +84,7 @@ public function __construct( $register_hooks = true ) {
 			 *
 			 * @since 3.0.0
 			 */
-			add_action( 'wp_ajax_tutor_order_details', array( $this, 'get_order_by_id' ) );
+			add_action( 'wp_ajax_tutor_order_details', array( $this, 'ajax_get_order_details' ) );
 
 			/**
 			 * Handle AJAX request for marking an order as paid by order ID.
@@ -258,10 +258,9 @@ public function create_order( int $user_id, array $items, string $payment_status
 	 *
 	 * @return void
 	 */
-	public function get_order_by_id() {
-		if ( ! tutor_utils()->is_nonce_verified() ) {
-			$this->json_response( tutor_utils()->error_message( 'nonce' ), null, HttpHelper::STATUS_BAD_REQUEST );
-		}
+	public function ajax_get_order_details() {
+		tutor_utils()->check_nonce();
+		tutor_utils()->check_current_user_capability();
 
 		$order_id = Input::post( 'order_id' );
 

models/CouponModel.php

@@ -810,7 +810,7 @@ public function get_coupon_details_for_checkout( $coupon_code = '' ) {
 		} else {
 			$coupon = $this->get_coupon(
 				array(
-					'coupon_code'   => $coupon_code,
+					'coupon_code'   => esc_sql( $coupon_code ),
 					'coupon_status' => self::STATUS_ACTIVE,
 				)
 			);

readme.txt

@@ -5,7 +5,7 @@ Tags: lms, course, elearning, education, learning management system
 Requires at least: 5.3
 Tested up to: 6.8
 Requires PHP: 7.4
-Stable tag: 3.9.3
+Stable tag: 3.9.4
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 
@@ -319,6 +319,11 @@ Tutor LMS allows you to offer certificates to your students upon course completi
 
 == Changelog ==
 
+= 3.9.4 - Dec 18, 2025
+
+Update: Compatibility with WordPress 6.9
+Fix: Security vulnerabilities
+
 = 3.9.3 - Nov 27, 2025
 
 Fix: Grades were auto-generated for all quizzes after a student attempted any quiz. (Pro)

tutor.php

@@ -4,7 +4,7 @@
  * Plugin URI: https://tutorlms.com
  * Description: Tutor is a complete solution for creating a Learning Management System in WordPress way. It can help you to create small to large scale online education site very conveniently. Power features like report, certificate, course preview, private file sharing make Tutor a robust plugin for any educational institutes.
  * Author: Themeum
- * Version: 3.9.3
+ * Version: 3.9.4
  * Author URI: https://themeum.com
  * Requires PHP: 7.4
  * Requires at least: 5.3
@@ -26,7 +26,7 @@
  *
  * @since 1.0.0
  */
-define( 'TUTOR_VERSION', '3.9.3' );
+define( 'TUTOR_VERSION', '3.9.4' );
 define( 'TUTOR_FILE', __FILE__ );
 
 /**